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Abstract 

We consider the cryptographic problem of constructing an invertible random permutation 
from a public random function (i.e., which can be accessed by the adversary). This goal is 
formalized by the notion of indifferentiability of Maurer et al. (TCC 2004). This is the natural 
extension to the public setting of the well-studied problem of building random permutations 
from random functions, which was first solved by Luby and Rackoff (Siam J. Comput., '88) 
using the so-called Feistel construction. 

The most important implication of such a construction is the equivalence of the random 
oracle model (Bellare and Rogaway, CCS '93) and the ideal cipher model, which is typically used 
in the analysis of several constructions in symmetric cryptography. 

Coron et al. (CRYPTO 2008) gave a rather involved proof that the six-round Feistel con- 
struction with independent random round functions is indifferentiable from an invertible random 
permutation. Also, it is known that fewer than six rounds do not suffice for indifferentiability. 
The first contribution (and starting point) of our paper is a concrete distinguishing attack which 
shows that the indifferentiability proof of Coron et al. is not correct. In addition, we provide 
supporting evidence that an indifferentiability proof for the six-round Feistel construction may 
be very hard to find. 

To overcome this gap, our main contribution is a proof that the Feistel construction with 
fourteen rounds is indifferentiable from an invertible random permutation. The approach of our 
proof relies on assigning to each of the rounds in the construction a unique and specific role 
needed in the proof. This avoids many of the problems that appear in the six-round case. 

Keywords. Cryptography, random oracle model, ideal cipher model, Feistel construction, 
indifferentiability. 
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1 Introduction 



1.1 Random Functions and Permutations: The Feistel Construction 

Many cryptographic security proofs rely on the assumption that a concrete cryptographic function 
(e.g. a block cipher or a hash function) behaves as a random primitive, i.e., an ideal object which 
answers queries "randomly". A typical example is a random function F : {0, l} m — > {0, l} n , 
which associates with each m-bit input x a uniformly distributed n-bit value F(x). We speak of a 
random oracle if the domain consists of all strings of finite length, rather than all m-bit ones. A 
random permutation P : {0, l} n {0, l} n is another example: It behaves as a uniformly-chosen 
permutation from the set of all permutations on {0, l} n , allowing both forward queries ~P(x) and 
backward queries P _1 (?/). 

Many results in cryptography can be recast as finding an explicit construction of a random 
primitive from another one in a purely information-theoretic setting. For instance, the core of Luby 
and Rackoff 's seminal result [LR88] on building pseudorandom permutations from pseudorandom 
functions (a computational statement) is a construction of a random permutation from random 
functions via the r -round Feistel construction \I/ r : It implements a permutation taking a 2n-bit 
input (Lo,i?o) (where Lo,i?o are n-bit values), and the output (L r ,R r ) is computed via r rounds 
mapping L h R { to L i+1 , R i+1 as 



where Fi, . . . , F r : {0, 1} U —> {0, l} n are so-called round functions. The main statement of [LR88] is 
that if the round functions are independent random functions, then ^3 is information-theoretically 
indistinguishable from a random permutation which does not allow backward queries, whereas ^4 
is indistinguishable from a full-fledged random permutation. 

1.2 The Random Oracle and Ideal Cipher Models: Indifferentiability 

Random primitives are frequently employed to model an idealized cryptographic function accessible 
by all parties in the scenario at hand, including the adversary. The most prominent example is the 
Random Oracle Model [BR93], where a random oracle models an ideal hash function. Although it 
is known that no concrete hash function can achieve the functionality of a random oracle [CGH04J 
(see also [MRH04J), security proofs in the random oracle model provide a common heuristic as to 
which schemes are expected to remain secure when the random oracle is instantiated with a concrete 
hash function. In fact, to date, many widely employed practical schemes, such as OAEP [BR94F] 




and FDH [BR96], only enjoy security proofs in the random oracle model. 

The ideal cipher model is another widespread model in which all parties are granted access 
to an ideal cipher E : {0, 1}* x {0, l} n — >> {0, l} n , a random primitive such that the restrictions 
E(fc, •) for k E {0, 1}* are 2 K independent random permutations. Application examples of the 
ideal cipher model range from the analysis of block-cipher based hash function constructions (see, 
for example [BRS02]) to disproving the existence of generic attacks against constructions such as 
cascade encryption [BR06; GM09] and to studying generic related- key attacks [BK03]. 

Equivalence of models and indifferentiability. This paper addresses the fundamental ques- 
tion of determining whether the random oracle model and the ideal cipher model are equivalent, 

1 However, we note that standard model instantiations of OAEP for certain classes of trapdoor functions ex- 
ist [KOSlOj . even though they only achieve a weaker security notion than what provable in the random oracle model. 



Li+i :— Ri, Ri+i '•— Li © Fi+i(i?i), 
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where equivalence is to be understood within a simulation-based security framework such as |Can01| : 
In other words, we aim at answering the following two questions: 

(1) Can we find a construction Ci, which uses an ideal cipher E, such that Cf is "as good as" a 
random oracle R, meaning that any secure cryptographic scheme using R remains secure when 
using Cf instead? 

(2) Conversely, is there C2 such that is "as good as" an ideal cipher E? 

Indistinguishability is not sufficient to satisfy the above requirement of being "as good as" , as the 
adversary can exploit access to the underlying primitive. Instead, the stronger notion of indifferen- 
tiability due to Maurer et al. [MRH04J is needed: the system Cf is indifferentiable from R if there 
exists a szrmz/atorj^] S accessing R such that (Cf, E) and (R, S R ) are information-theoretically in- 
distinguishable. This is equivalent to stating that the adversary is able to locally simulate the ideal 
cipher consistently with R, given only access to the random oracle and without knowledge of the 
queries to R of the honest users. Of course, indifferentiability generalizes to arbitrary primitives: 
The definition of being indifferentiable from E is analogous^] 

Prior work and applications. Question (1) above is, to date, well understood: Coron et 
al. [CDMP05], and long series of subsequent work, have presented several constructions of ran- 
dom oracles from ideal ciphers based on hash-function constructions such as the Merkle-Damgdrd 
construction [Mer89 ; Dam89] with block-cipher based compression functions. In particular, indif- 
ferentiability has become a de-facto standard security requirement for hash function constructions, 
generally interpreted as the absence of generic attacks against the construction treating the block 
cipher as a black box. 

In a similar vein, answering question (2) could provide new approaches to designing block ciphers 
from non-invertible primitives. But in contrast to question (1), the problem is far less understood. 
Dodis and Puniya [DP06] considered constructions in the so-called honest-hut- curious model, where 
the adversary only gets to see queries made by the construction to the public random function, 
but is not allowed to issue queries of her choice: They showed that cj(logn) rounds of the Feistel 
construction are sufficient to build an ideal cipher^] In the same work, it was first noted that four 
rounds are insufficient to achieve indifferentiability of the Feistel construction. 

Finally, at CRYPTO 2008, Coron et al. |CPS08aj presented a first proof that the six-round 
Feistel construction ^6 with independent random round functions is indifferentiable from a random 
permutation^] hence seemingly settling the equivalence of the ideal cipher model and the random 
oracle model. They also showed that five rounds are insufficient for this task. Also, a somewhat 
simpler proof that the ten-round Feistel construction ^10 with independent round functions is 
indifferentiable from a random permutation was later presented in |Seu09| , the PhD thesis of the 
last author of jCPS08aj . 

Following the publication of this result, the equivalence of the random oracle and ideal cipher 
models has been used to infer security in the random oracle model using an ideal cipher (or random 

2 Usually required to be efficient, i.e., with running time polynomial in the number of queries it processes 

3 Interestingly, we cannot construct a non-invertible random permutation from a random oracle. This follows from 

a well-known result by Rudich [Rud89 and Kahn et al. [KSS00 . 

4 The notion of honest-but-curious indifferentiability is very subtle, as in general it is not even implied by full 

indifferentiability. 

5 Note that this implies a construction of an ideal cipher from a random oracle, as we can construct the independent 
round functions from a random oracle. Moreover, they can be keyed to obtain an independent cipher for each value 
of the key. 
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permutation) as an intermediate step [DP WlOj and to prove impossibility of black-box constructions 
from block ciphers |LZQ9j . 

1.3 Our Contributions 

The surprising starting point of our work is a distinguishing attack, outlined and analyzed in 
Section [2j which shows that the proof of |CPS08cj (the full version of |CPS08aj ) is not correct: For 
the simulator given in the proof, our attack distinguishes with overwhelming advantage. Despite 
hopes, at first, that we could fix the proof of Coron et al. by minor modifications, we were unable 
to do so. In fact, we provide a stronger attack which appears to succeed against a large class of 
simulators following the natural approach of jCPS08c| . We also found similar problems in the proof 
given in [Seu09j, and so the question of settling the equivalence of the ideal cipher model and of 
the random oracle model remains open. 

In order to overcome this situation, the main contribution of this paper is a proof (given in 
Section |3]) that the fourteen-round Feistel construction ^14 is indifferentiable from a random per- 
mutation. The round number is motivated by the goal of providing a simple to understand proof, 
rather than by the goal of minimizing the number of rounds. Our proof relies on techniques which 
are significantly different than the ones used in |CPS08c| . 

We discuss our results in more detail in the following section. 

1.4 Sketch of the Previous Problems and the New Proof 

First, we discuss the basic idea of building a random permutation from a random oracle via the 
r-round Feistel construction \I/ r . Then we discuss the problems in the previous proofs and finally 
sketch our new proof. Some readers might find it helpful to consider the illustration of the Feistel 
construction on page [12] in the following. 

Simulation via chain-completion. Since we already fixed our construction to be \I/ r , the core of 
the proof is the construction of a simulator S that uses a given random permutation P : {0, l} 2n 
{0, l} 2n to consistently simulate r independent functions Fi,...,F r from {0, l} n —> {0, l} n . In 
particular, suppose that a distinguisher queries the round functions to evaluate \I/ r on input x E 
{0, l} 2n . Then, it is required that the result matches the output of P on input x^ To this end, the 
simulator needs to somehow recognize queries belonging to such a sequence x\, . . . , x r , and to set 
the values F^(x^) to enforce consistency with P. In the following, such sequences x\, . . . ,x r will be 
called chains. 

The natural idea used by Coron et al. is to isolate so-called partial chains among queries made to 
the round functions. An example of a partial chain is a triple (xi, #2, #3) such that xs = xi©F2(x2), 
and each of x\, £2, and X3 has previously been queried to the corresponding round function F^. 
In particular, upon each query to F^, the simulator checks whether one (or more) partial chains 
are created. When such a partial chain is detected (and some additional conditions are met), 
the simulator completes it to a (full) chain xi,X2, . . . ,x r such that Xi+i — F^(x^) © X{-\ for all 
i = 2, . . . , r — 1, and P(xo, x\) — x ri x r+ i, where xq := Fi(xi) © X2 and x r+ i = F r (x r ) © x r -\. In 
particular, the simulator defines two consecutive values F^(x^) and F^ + i(x^ + i) adaptively to satisfy 
all constraints. In our example, the simulator could complete the partial chain by first finding xo, 
computing x r and x r+ i from P(xo,xi), and finally evaluate the Feistel construction backwards, by 
setting each undefined F^(x^) to a fresh uniform random string, until only F^{x^) and F^(x^) are 

6 Of course, much more is needed, as the distribution of the output needs to be indistinguishable, but surely, the 
above requirement is necessary. 
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undefined. These two values are then defined as F4(x4) := xs © X5, and F^(x^) := We 
refer to this step as adapting the output values of X4 and x$. 
At this point, one faces (at least) two possible problems: 

(i) The simulator defines new values at chain completion, and may keep producing new partial 
chains while it completes chains, hence potentially running forever. Coron et al. solve this 
problem very elegantly by a smart decision of which partial chains are completed. Then, they 
are able to show that the recursion stops after at most poly(g) steps, where q is the number 
of queries the distinguisher makes to the permutation. We use their strategy in our proof, 
even though in the simplified version of [Seu09j, as we detect fewer chains. 

(ii) The simulator may try to adapt Fi(x$) to some value, even though F^(x^) has been fixed to a 
different value before. In this case, the simulator by Coron et al. aborts, and it hence becomes 
necessary to show that no distinguisher can make the simulator abort except with negligible 
probability. 



Breaking previous simulators. Unfortunately, the proof given in |CPS08cj does not solve (ii) 
above. In fact, it is possible to find a sequence of queries such that the simulator, with high 
probability, attempts to change a value of a previously fixed F^(x), and aborts. We provide an 



intuition of the attack in Section 2.3 A full proof that that our attack breaks the simulator is 
contained in Appendix [Bj 

We formally prove that our attack distinguishes with overwhelming advantage. However, in 
view of the complexity of the considered random experiments, we have also decided to gain extra 
confidence in the correctness of our proof by simulating the setting of the attack. We therefore 
implemented the simulator from [CPS08cj in Python, and then used our distinguisher on it. The 
results confirm our theoretical analysis. The code is included as an ancillary file in the full version 
of this paper |HKT10| , and is available for download. 

We also point out that the proceedings version of [CPS08cJ, as well as an earlier version available 
on the eprint archive [CPS08b], presented a significantly simpler simulator. However, it suffered 
from the same problem, and a simpler attack was possible. We assume that the authors were aware 
of this problem when they modified the simulator, as some modifications appear to specifically rule 
out some of the attacks we found against the simpler simulator. However, this is speculation: no 
explanation is given in |CPS08c| . 

In the 10- round case, Seurin gives a much simpler simulator in his PhD thesis |Seu09j . At 
present, we do not know whether this simulator can be attacked. 



Problems with the previous proofs. Given our attack, it is natural to ask where the proof 
given in [CPS08c] fails. We explore this question in Section 2.2, but we can give a short explanation 
here. Consider the example above. When the simulator attempts to define the value of F^(x^)^ the 
proof assumes that it can do so, because earlier on, Fq(xq) was chosen uniformly at random, and X5 
was set to be X5 := xy®Fq(xq). The hope is that this implies that in the meanwhile F^(x^) has not 
been defined, except with very small probability. Unfortunately, between the moment where Fq(xq) 
was chosen uniformly, and the moment where F^(x^) needs to be defined, the simulator may have 
completed a large number of other partial chains. This can destroy our expectation completely, 
and indeed, our attack does exploit this fact. We cannot hope to complete each detected chain 
immediately when it is detected: For example, the definition of a single function value may cause 
that we detect many new chains at the same time. These chains have to be completed in some 
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order, and thus there exist chains such that between their detection and their completion many 
other function values are defined. This means that it is not obvious how to solve this problem. 

Furthermore, while we do not know whether the simulator in [Seu09] can be attacked, the 
problems with the proof we describe here are present in [Seu09j as well. 

Further problems with previous proofs. There are, in fact, further problems with the pre- 
vious proofs [CPS08c ; Seu09j. All previous proofs reduced the task of proving indifferentiability to 
the task of upper bounding the abort probability of the given simulator. Yet, it turns out that this 
reduction is quite delicate as well. In fact, both proofs of [CPS08c] and |Seu09| have several gaps 
in this part, which we were not able to fill directlyj^] Thus, we give a completely new proof for this 
part as well. 

Ideas we use from the previous proofs. Since evidence points towards the fact that simulating 
a 6-round Feistel construction is difficult, we consider the simulator for the 10-round construction 
used in [Seu09], which is significantly simpler and much more elegant. Even though our simulator 
is for 14 instead of 10 rounds, it is similar to the one in |Seu09| : the zones where we detect and 
adapt chains are analogous. This allows us to reuse the elegant idea of |Seu09| for bounding the 
simulator's running time. 

Intuition of our proof. In order to explain the main new ideas we use, we first give a more 
complete sketch of our simulator and our proof. Of course, many details are omitted in this sketch. 

As in previous ideas, our simulator detects chains, and completes them. In order to detect 
chains, we follow |Seu09j and use special detect zones, where the simulator detects new chains. 
Also, as in |Seu09j . we have adapt zones, in which the simulator fixes the values of F^(x^) such that 
the produced chain matches the given permutation P. Unlike before, we use buffer rounds (namely 
rounds 3,6,9, and 12) between the zones where chains are detected, and the zones where values are 
adapted. The function values in the buffer rounds are always defined by setting them to uniform 
random values. The figure on page [T2] has these zones marked. 

We now discuss what happens when the simulator detects a new chain with values (xi, X2, £13, £14), 
and suppose that the simulator decides to adapt the resulting chain at positions 4 and 5. Because 
of the way the simulator chooses the adapt zone to use, it is not extremely hard to show that at 
the moment this chain is detected, the values Y^{x^) and Fq(xq) in the buffer rounds around this 
adapt zone have not been defined yet, where xs and xq are the values corresponding to round 3 
and 6 of the detected chain (and similar statements are proven in [Seu09j). 

The hope at this point is that F3(x3) (and also Fq(xq), but let us concentrate on F3(x3)) is 
still unset when the simulator is ready to complete this chain. Intuitively, this should hold at least 
in case the function values F2 and F4 are set at random, because then, the simulator should only 
run into trouble if some kind of unlikely collision happens (it turns out later that actually it is not 
necessary to always set F4 at random, but the intuition why this holds is somewhat advanced). 

In order to prove that indeed this hope holds, we first use a queue to order the chains which the 
simulator detects and completes. This ensures that when it detects the chain C = (x\, X2, £13, £14) 
above, any chain during completion of which the simulator could possibly define Fs(xs) is defined 
before the simulator detects C. 

7 In very broad terms, both proofs present a step where an ideal permutation is replaced by the Feistel construction, 
and values of the round functions are set by the evaluation of the construction: While each of the proofs presents a 
different approach how this is done, neither of them presents a convincing argument of why this modification does 
not affect the input-output behavior. 
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Next, we define a bad event BadlyCollide, which we show to occur if our hope fails. To understand 
the main idea of event BadlyCollide, consider the chain C again. Even though ¥^{x^) is not yet 
defined when the chain is detected, the value xs is already fixed at this point. The event BadlyCollide 
occurs only if such a value appears in some other chain due to some unlikely collision (the "unlikely 
collision" part is crucial: in general a distinguisher can set up new chains which contain such values, 
in which case BadlyCollide should not occur). 

In total, the above shows that our simulator never aborts (in contrast to the one given in 
|CPS0 8c]). Of coures, it is still necessary to show that the result is indifferentiable from a Feistel 
construction. 

To see why this can be difficult, consider a distinguisher which first queries the given permuta- 
tion P(xo, xi), giving values (xm, £15). The distinguisher then checks (say) the first bit of £14, and 
depending on it, starts evaluating the simulated Feistel construction from the top with the input 
values (xo,xi), or from the bottom with values (xi4,£i5). Inspection of our simulator reveals that 
the choice of the adapt zone of the simulator then depends on the first bit of X14. 

The problem which now comes in is that the randomness inherent in (xi4,xi5) is needed in 
order to show that the values of F in the adapt zones look random. However, conditioned on using 
the upper adapt zone, one bit of xu is already fixed. 

In order to solve this problem, we take the following, very explicit approach: we consider the 
two experiments which we want to show to behave almost the same, and define a map associat- 
ing randomness in one experiment to randomness in the other experiment. We then study this 
map. This leads to a more fine-grained understanding and a much more formal treatment of the 
indistinguishability proofj^] 

1.5 Model and Notational Conventions 

The results throughout this paper are information-theoretic, and consider random experiments 
where a distinguisher D interacts with some given system S, outputing a value D(S). In the 
context of this paper, such systems consist of the composition S = (Si,S2) of two (generally 
correlated) systems accessible in parallel, where is either a random primitive (such as a random 
function F, a random permutation P defined above), or a construction C s accessing the random 
primitive S. The advantage A D (S, S') of a distinguisher D in distinguishing two systems S and S' 
is defined as the absolute difference |Pr[D(S) = 1] - Pr[D(S') = 1]|. 

We dispense to the largest extent with a formal definition of such systems (cf. e.g. the framework 
of Maurer |Mau02| for a formal treatmenet). Most systems we consider will be defined formally 
using pseudocode in a RAM model of computation, following the approach of [BR06 ; lSho04| . The 
time complexity of a system/distinguisher is also measured with respect to such a model. 

Defining indifferentiability is somewhat subtle, as different definitions |MRH04( ICDMP05] are 
used in the literature. Furthermore, it turns out that our simulator runs in polynomial time only 
with overwhelming probability (which is a bit weaker than giving a worst-case polynomial bound 
on its running time). In particular, we meet the following definition, which implies the original 
definition in IMRH04I : 



Definition 1.1. For a construction C accessing independent random functions F = (Fi, . . . , F r )J^] 
we say that C F is indifferentiable from a random permutation P if there exists a simulator S 
such that for all polynomially bounded g, the advantage A D ((C F ,F), (P, S p )) is negligible for all 



For reference: this step can be found in Section 3.5.5 
9 Such a tuple can also be seen as a random primitive. 
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distinguishers D issuing a total of at most q queries to the two given systems, and furthermore there 
exists a fixed polynomial p(q), such that S runs in time p(q) except with negligible probability. 

Finally, we warn the reader that the notation used in Section [2] differs strongly from the one 
used in Section [3| The reason is that first in Section [2] we aim to stay close to the notation used 
in |CPS08c] (with some minor modifications which we believe enhance readability). Unfortunately 
this notation has some obvious problems when as many as 14 rounds are used, which is why we 
cannot use it in Section 03 

2 The Six-Round Feistel Construction: An Attack 

This section presents several problems in the existing proof of Coron et al. [CPS08cj. While we 
cannot rule out the fact that the six-round Feistel construction is indeed indifferentiable from a 
random permutation, the contents of this section show that any such proof would be significantly 
more involved than the one given in [CPS08cj. 

2.1 The Simulator of Coron et al. 

We first provide a high-level description of the simulator S used in the indifferentiability proof of 
[CPS08cJ for the six-round Feistel construction. This description is sufficient to convey the main 
ideas underlying our attack and the problems with the existing proof, and a complete description 
is given in Appendix [Aj For ease of reference, we use a similar notation to the one of jCPS08cj 
throughout this section. 

Recall that the simulator S queries P and P _1 to simulate the round functions Fi,...,Fg 
consistently, where the given P needs to have the same behaviour as the constructed six-round 
Feistel construction. For each i E {1, . . . , 6}, the simulator stores the values Fi(x) it has defined 
up to the current point of the execution as a set HiFi) of pairs (x, F^(x)), called the history of F^. 
We will write x E F^ if Fi(x) is defined. At any point in time, the simulator considers so-called 
3-chains, which are triples of values appearing in the histories of three consecutive round functions 
and which are consistent with the evaluation of the Feistel construction. In the following, when we 
refer to round i — 1 or i + 1, addition and subtraction are modulo 6, and the elements {1, . . . , 6} 
represent the equivalence classes. 

Definition 2.1 (3-chain). A 3-chain is a triple (x, z) (where the values are implicitly associated 
with three consecutive rounds i — 1, z, and i + 1) which satisfies one of the following conditions with 
respect to the given histories: 

(i) If i E {2, 3, 4, 5}, x E F^_i, y E F* and z E F i+ i, and F$(y) = x z\ 

(ii) If i = 6, x E F 5 , y E F 6 , z E F x , and 3x E {0, l} n : p-\y\\F 6 (y) © x) = x \\z; 
(hi) If i = 1, x E F 6 , y E Fi, z E F 2 , and 3x 7 E {0, l} n : P(z Fi(y)||y) = x\\x 7 . 



We next describe the main points how the simulator attempts to simulate the round functions. 
On a query x E F^ for the z-th round function F^, the simulator S replies with F{(x). If x £ F^, the 
simulator assigns to F{(x) a uniform random value, and invokes a procedure called ChainQuery 
with input (x, i). 

The procedure ChainQuery operates as follows. Let C(+,x,z) and C(— be the sets 
of all 3-chains with x in round i as their first value (these are so-called positive chains) and as 
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their last value (so-called negative chains), respectively. The procedure iterates over all 3-chains 
C(+, x, i) U C(— , x, z), and for some subset of these chains it calls the procedure CompleteChain. 
How the simulator chooses this subset is not important for this discussion. 

The procedure CompleteChain ensures consistency of the defined values with respect to 
the six-round Feistel construction, and operates as follows on input a positive 3-chain (x, y, z) 
(a negative chain is processed analogously): It extends it to a 6-tuple (xi, . . . ,xq) with X{ — x, 
Xi+i = y and X{+2 — z and the additional property that F^(a^) = X{-\ © Xi+\ for all i E {2, 3, 4, 5} 
and also that P(x2 © Fi(^i)||^i) = X6||Fe(^6) © x$. This is achieved by first computing xj for 
some j E {i — 2, z + 2} and setting the value Fj(xj) uniformly at random (if undefined), and then 
computing the two remaining values X£ and a^+i, and adapting the respective output values F^(x^) 
and F^ + i(x^ + i) to satisfy the constraint imposed by the permutation P. Note that it may be that 
setting these values is not possible (since some x^ E F^ or some E F^ + i), in which case we 
say the simulator aborts. We point out that in this situation, the simulator is unable to define the 
remaining chain values consistently with P. The precise choice of how j is chosen depends on the 
index z, and we describe it in detail in Appendix [Aj 

As the completion of these 3-chains defines new entries for the function tables, new 3-chains 
may appear. In this case, ChainQuery is recursively called on input (x f ,i f ) for each value F^/(x / ) 
defined within one of the CompleteChain calls invoked by ChainQuery. 

In the above description, we omitted one more complication: at the beginning of each invo- 
cation of ChainQuery, some special special procedures (called XorQuery x , XorQuery 2 , and 
XorQuery 3 ) are invoked. Their purpose is to avoid some distinguishing attacks which are possible 
against the simulator as detailed above, but in our distinguishing attack these procedures are not 
helpful. We refer the reader to the Appendix for a complete treatment. 

2.2 A problem in the Proof of jCPS08c| 

The core of the proof of [CPS08cj considers a distinguisher which interacts with P and S. The goal 
is to show that the probability that S aborts is negligible. 

The natural approach taken in [CPS08cj is, for any execution of ChainQuery and under the 
condition that no abort has occurred so far, to upper bound the probability that S aborts in one 
of the recursive calls to ChainQuery. To achieve this, the following condition is introduced: 

The distribution of Fi(x) when ChainQuery(x, i) is called is uniform in {0, l} n given 
the histories of all round functions, but where the value Fi(x) is removed from the 
history, and in the case where the ChainQuery invocation results from the completion 
of a chain, also all other values defined in that completion are removed from the history. 

The proof idea is as follows: Suppose that the condition holds for a ChainQuery invocation, 
and no abort has occurred so far. Then, except with negligible probability, no CompleteChain 
execution within that ChainQuery leads to an abort, and the condition holds for every recursive 
call to ChainQueryP^I 

The proof of this statement is very subtle: Between the point in time where the value F^(x) is 
set and the invocation of ChainQuery(x, i), potentially several other ChainQuery are executed 
and extend the history. These additional values in the history could depend on F^(x) and could 
fully determine F^(x). 

10 We note that in some cases it turns out that the condition may not hold, but then a separate proof is given 
that no abort occurs for such a ChainQuery execution, and that the condition holds for all subsequent calls to 
ChainQuery, i.e., such bad invocations do not propagate. 
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In fact, for specific cases where [CPS08c] claims that the condition described above can be 
established (such as Lemma 10), it is possible to show that the value F^(x) is not distributed 
uniformly, but is in fact fully determined by the given history values. Thus, the condition does 
clearly not hold. For details, we refer to |Kiin09| . We do not see how the proof can be extended 
to fix this problem. These issues led to a concrete attack, which we describe below. Since this 
is a much stronger statement, we dispense with a more detailed description of the problems in 

EESDSsI - 

A Problem in the Proof of [Seu09j. An alternative, and more elegant approach for the 10- 
round Feistel construction is given by Seurin |Seu09| in his PhD thesis. The core of the proof also 
consists in proving an upper bound on the abort probability of the simulator. 

However, the proof suffers from similar problems as in [CPS08cj. As an example, the proof 
of Lemma 2.11 in [Seu09j claims that the simulator aborts only with negligible probability in 
CompleteChain 2 (W, R, 5, D) when adapting F 3 (A), because X = R®F 2 (W), and F 2 (W) is 
distributed uniformly in {0, l} n . Yet, the statement about F 2 (W0 being uniform is questionable, 
since, similarly to the above case, there are function values defined after F 2 (VF) ^— r {0, l} n oc- 
curred, but before F 3 (X) gets adapted. These values might well depend on F 2 (VF), and therefore 
it is not at all clear if F 2 (VF) is still distributed uniformly given the values in the history, and how 
one could prove such a statement. 

Orthogonally, conditioning on something different than the complete history at the moment 
where F 2 (VF) is used does also not appear a viable option. This leads us to the conclusion that it 
is still open if this simulator can be used to prove indifferentiability. However, in contrast to the 
6-round case, we have been unable to find a concrete distinguishing attack when this simulator is 
used. 

2.3 The Attack against the Simulator of |CPS08c| 

As formalized by the following theorem, we show that there exists a strategy for D such that S 
aborts with overwhelming probability. This immediately implies that S cannot be used to prove 
indifferentiability, since using the given strategy, one can distinguish the real setting from the ideal 
setting (where S aborts). 

Theorem 2.2. There is a distinguisher D such that S aborts with overwhelming probability when 
D interacts with P and S. 

The attack asks a very limited number of queries (i.e., 7 queries to the simulator, and three 
permutations queries). When asking the last simulator query, the simulator is forced to complete 
five different 3-chains. The queries are chosen in a way that after completing the first four chains, 
four values of the completion of the remaining 3-chain are defined before the associated permutation 
query is issued by the simulator. At this point, regardless of the strategy used, it is unlikely that 
the simulator can set values so that this last chain is completed, and the simulator aborts. Figure [I] 
illustrates the structure of the (completed) 3-chains. 

Outline of the attack and intuition. The distinguisher D chooses n-bit values A, i? 2 ,i?3, 
and for i e {2,3}, lets U := Fi(i^) A, Si\\Ti := P(L i ||i? i ), and A* := F 6 (^) Then, it 
defines R x := R 2 ® A 2 ® A 3l L t := F 2 (A) ® R u Si||Ti := P(Li||i?i), and A x := F 6 (Si) ®T X . It 
is not hard to verify that (Si, Ri, X) are all 3-chains for i = 1, 2, 3. When completed to full chains 
(Ri, X,Yi, Zi, Ai, Si), the values (Yi, Z 2 , A3) also constitute a 3-chain, since 

F 4 (Z 2 ) = A 2 © Y 2 = i?i © R 2 A 3 Y 2 = R x © F 2 (A) © A 3 = Y x © A 3 
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Figure 1: Illustration of the attack provoking the simulator S to abort. 



under the assumption that the first three chains have been completed correctly. Finally, the dis- 
tinguisher queries A := A\ © R\ © R2 to F5. Note that (Y2, Z\, A) also constitutes a 3-chain under 
the assumptions that the first three chains are completed correctly, since 



This means in particular that when completed, the 3-chains (Y\,Z 2 , A%) and (Y 2l Zi 1 A) have a 
common second value, which we denote as X 1 . 

The core idea of the attack is the following: The simulator S first completes the 3-chains 
(Si,Ri,X) for i = 1,2,3, and only subsequently turns to completing the two remaining 3-chains. 
Say it completes the 3-chain (Y 2 , Z\, A) first: Then, as this chain has a common value with the 
completion of the 3-chain (Yi, Z 2 , A3), in the end the simulator has only two possible values (namely, 
those at both ends of the completed chain) which are still free to be set to complete the 3-chain 
(Yi, Z 2 , As), and this leads to an abort. (In fact, we prove the slightly stronger statement that the 
simulator fails even if it adopts any other strategy to complete this last chain, once the second-last 
chain is completed.) 

The main difficulty of the full analysis, given in Appendix [Bj is that the actual simulator makes 
calls to procedures (called XorQuery 1? XorQuery 2 , and XorQuery 3 ) which are intended to 
prevent (other) attacks. To show that no such call affects the intuition behind our attack is a rather 
cumbersome task. 

Note that our implementation of the simulator and our attack in Python indeed shows that the 
simulator aborts (the code can be found as ancilliary file in |HKT10j ). 

A stronger attack. It is actually possible to come up with a simulator that defines all function 
values consistently with P under the attack present in the previous section, and thus the attack falls 
short of proving that the six-round Feistel construction cannot be indifferentiable from a random 
permutation. Appendix [C] presents a stronger distinguishing attack, for which, in fact, we were not 
able to come up with a simulator which withstands it. We conjecture that no simulator within a 



F 4 (Zi) = Yi © A x = Yi © A © i?i © R 2 = F 2 (X) © A © R 2 = A © Y 2 . 



Finally, note that 



Zi © F 3 (Y 2 ) = Z x © Z 2 © X = Z 2 © F 3 (Yi). 
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very large class of simulators is able to withstand this distinguishing attack, but giving such a proof 
seems to be quite difficult and to require a deeper and more general understanding of the possible 
dependencies between chains. Nonetheless, we consider this distinguisher to be a useful testbed for 
any attempt to fix the indifferent iability proof for six rounds p] 



3 Indifferentiability of the Feistel Construction from a Random 
Permutation 

We prove that the 14-round Feistel construction is indifferentiable from a random permutation. 

Theorem 3.1. The 14-round Feistel construction using 14 independent random functions is indif- 
ferentiable from a random permutation. 



The remainder of this section is devoted to the proof of Theorem |3.1| Our task is to provide 
a simulator S with access to a random permutation P such that (S P ,P) is indistinguishable from 
(F, \I/ F ), where F denotes the random functions used in the Feistel construction. 



We first define the simulator S in Section 3.1 Then we transform (S p , P) stepwise to (F, \I/ F ). 



The random functions we consider in this section are always from n bits to n bits, and the random 
permutation P is over 2n bits. 



3.1 Simulator Definition 

We first give a somewhat informal, but detailed description of the simulator. We then use pseu- 
docode to specify the simulator in a more formal manner. 



3.1.1 Informal description 

The simulator provides an interface S.F(fc, x) to query the simulated random function on input x. 
For each fc, the simulator internally maintains a table that has entries which are pairs (x, y). They 
denote pairs of inputs and outputs of S.F(/c,x). We denote these tables by or just Gk when 

the context is clear. We write x E Gk to denote that x is a preimage in this table, often identifying 
Gk with the set of preimages stored. When x E Gk(x) denotes the corresponding image. 

On a query S.F(fc,x), the simulator first checks whether x E Gk- If so, it answers with Gk(x). 
Otherwise the simulator picks a random value y and inserts (x, y) into Gk(x). After this, the simu- 
lator takes steps to ensure that in the future it answers consistently with the random permutation 
P. 

There are two cases in which the simulator performs a specific action for this. First, if k E 
{2, 13}, the simulator considers all newly generated tuples (xi, #2, ^13 5 #14) E G\ x G2 x G13 x G14, 
and computes xo := X2 © G\{x\) and x\§ := £13 © Gufau). It then checks whether P(xo,xi) = 
(#14, #15). Whenever the answer to such a check is positive, the simulator enqueues the detected 
values in a queue. More precisely, it enqueues a four-tuple (xi,X2, 1,^). The value 1 ensures that 
later the simulator knows that the first value x\ corresponds to G\. The value £ describes where 
to adapt values of Gn to ensure consistency with the given permutation. If k = 2, then £ — 4 and 
if k = 13 then £ = 10. 

The second case is when k E {7,8}. Then, the simulator enqueues all newly generated pairs 
(X7, xs) E G7 x G8- It enqueues all these pairs into the queue as (#7, x&, 7, £), where £ = 4 if k = 7 
and £ = 10 if k = 8 (this is illustrated in Figure [2]). 

11 We have also implemented this more general attack in Python, and, not surprisingly, its execution also leads to 
an abort of the simulator S. 
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Figure 2: The 14-round Feistel with the zones where our simulator detects chains and adapts them. 
Whenever a function value (^2(^2)5 ^7(^7), Gs(xs), or (^13(^13) is defined, the simulator checks 
whether the values in the blue dashed zones X7, x% and #1, #2, #13, #14 form a partial chain. In case 
a chain is detected, it is completed; the function values in the red dashed zones are adapted in 
order to ensure consistency of the chain. 
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After enqueuing this information, the simulator immediately takes the partial chain out of the 
queue again, and starts completing it. For this, it evaluates the Feistel chain forward and backward 
(invoking P or P _1 at one point in order to wrap around), until X£ and X£+i are computed, and 
only the two values Gi{xi) and G^+i(a^+i) are possibly undefined. The simulator defines the 
remaining two values in such a way that consistency with P is ensured, i.e., Gi(xi) := xi-\ © x^+i 
and Gi+i(xi+i) := X£ © x^ + 2- If a value for either of these is defined from a previous action of the 
simulator, the simulator overwrites the value (possibly making earlier chains inconsistent). 

During the evaluation of the Feistel chain, the simulator usually defines new values for the 
tables G. Whenever a value Gk(xk) for k E {2, 13} is defined, the exact same checks as above are 
performed on the newly generated tuples (xi, X2, #13, #14). Whenever a value Gk{xk) for k E {7, 8} 
is defined, the simulator similarly enqueues all new pairs {xi,x%). 

When the simulator has finished completing a chain, it checks whether the queue is now empty. 
While it is not empty, it keeps dequeuing entries and completing chains, otherwise, it returns the 
answer to the initial query to the caller. 

In order to make sure the simulator does not complete the same chains twice, the simulator 
additionally keeps a set CompletedChains that contains all triples #ah-i, k) which have been 
completed previously. Whenever the simulator dequeues a chain, it only completes the chain if it 
is not in the set CompletedChains. 



3.1.2 The simulator in pseudocode 

We now provide pseudocode to describe the simulator as explained above in full detail. Later, during 
the analysis, we will consider a slightly different simulator T. For this, we replace whole lines; the 
replacements are put into boxes next to these lines. The reader can ignore these replacements at 
the moment. 

First, the simulator internally uses a queue and some hashtables to store the function values, 
and a set CompletedChains to remember the chains that have been completed already. 



System S: System T(/): 

Variables: 

Queue Q 

Hashtable Gi, . . . , G14 
Set CompletedChains := 

The procedure F(z,x) provides the interface to a distinguisher. It first calls the corresponding 
internal procedure F INNER , which defines the value and fills the queue if necessary. Then, the 
procedure F(z,x) completes the chains in the queue that were not completed previously, until the 
queue is empty. 

public procedure F(z,x) 
F INNER (i,x) 

while -iQ.EmptyQ do 

(x k ,x k +i,k,£) := Q.DequeueQ 

if (xk,Xk+i,k) ^ CompletedChains then / ignore previously completed chains 
/ complete the chain 

(x^_ 2 , X£-i) := Evalu ateForward (x k , x k+1 , k,£-2) 
(x£ + 2, X£ + s) •= EVALUATEB ACKWARD {x k , fc, I + 2) 

ADAPT(x^_2, ^_i,^+2, X£ +3 , 1) 

(xi, X 2 ) := EVALUATEBACKWARD(x/e, Xfc+i, fc, 1) 
(x 7 , x&) 1= EVALUATEFORWARD(xi, X2, 1, 7) 
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22 
23 

24 

25 
26 
27 



17 CompletedChains := CompletedChains U {(xi, #2, 1), (#7, #8, 7)} 

is return Gi(x) 

The procedure Adapt adapts the values. It first sets the values marked green in Figure [2] 
uniformly at random, and also the next ones. It then adapts the values of G^(x^) and G^ + i(x^ + i) 
such that the chain matches the permutation. 

It would be possible to simplify the code by removing lines [20] to [25] below, and changing the 
parameters in lines [12] and [13] above. The current notation simplifies notation in the proof. 

19 private procedure Adapt(x^_2, 2^-1, 2^+2? x £+3^) 

20 if X£_i tf. Gi-i then 

G/_i(a;/_i)^-fl{0,l} n 
X£ := © Gi-i(x£-i) 
if xt+2 Gt+2 then 

x m := x^ +3 Gi+ 2 {xi+ 2 ) 
ForceVal(x^, X£ + i © X£-i,£) 
Force Val(^ + i, xi © x^ +2 , ^ + 1) 



:= f(£ - 1, 



^+2(^+2) : = /(^ + 2 , ^+2) 



34 
35 



39 

40 



43 
44 
45 
46 
47 
48 
49 
50 



29 private procedure ForceVal(x, y, 
so G^(x) := y 

The procedure F INNER provides the internal interface for evaluations of the simulated function. 
It only fills the queue, but does not empty it. 

31 private procedure F INNER (i,x): 

32 if x ^ Gi then 

Gi(x) ^ R {0, l} n \Gj(x) :=f(i,x) 

if i E {2,7,8,13} then 

enqueueNewChains(z, x) 
return G{(x) 

The procedure ENQUEUeNewChains detects newly created chains and enqueues them. Some- 
times, chains may be detected which have been completed before, but they are ignored when they 
are dequeued. 

private procedure enqueueNewChains(z, x)\ 
if i = 2 then 

forall (xi, X2, X13, xu) E G\ x {x} x G13 x G14 do 

if Check(x2 © Gi(xi), xi, X14, X13 © G\±{x\±)) then 
Q.Enqueue(xi, x 2 , 1, 4) 
else if z = 13 then 

forall (xi, X2, X13, X14) E G\ x G2 x {x} x G14 do 

if Check(x2 © Gi(xi), xi, X14, X13 © Gi4(xi4)) then 
Q.Enqueue(xi, x 2 , 1, 10) 
else if i = 7 then 

forall (x7,xs) E {x} x G% do 
Q.Enqueue(x 7 , x 8 , 7, 4) 
else if i = 8 then 

forall (x7,xg) E G7 x {x} do 
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Q.Enqueue(x7, xg, 7, 10) 



private procedure Check(#o, #1, #14, #15 
return P(xq,xi) = (#14, #15) 



return R.Check(xq, x\, X14, xi§) 



The helper procedures EvaluateForward and EvaluateBackward take indices k and £ 
and a pair Xk+i) of input values for Gj~ and G&+i, and either evaluate forward or backward in 
the Feistel to obtain the pair {xi,xi+\) of input values for Gi and Gt+i. 

private procedure EvaluateForward (x/e, x^+i, fc, £): 
while k £ do 

if fe = 14 then 



(x ,xi) 
fe := 



P 1 (xu,Xi5) 



(x ,xi):=R.P 1 (xi4,xi5) 



else 



fe := fe + 1 
return (x^ X£+i) 



l (fe + l,x k +i) 



(xi4,xi 5 ) := R.P(x ,xi) 



private procedure EvaluateBackward (x^, Xk+i, fe, 
while fe 7^ £ do 
if fe = then 

Oi4,xi 5 ) := P(x ,xi) 

fe := 14 

else 

:=x, +1 0F INNER (fe,x,) 
fe := fe - 1 
return (x^, xt+i) 



3.2 Proof of Indifferent iability 

In this section, we provide the indifferentiability analysis. The overall plan is that we first fix a 
deterministic distinguisher D, and suppose that it makes at most q queries X J_ We then show that 
the probability that D outputs 1 when interacting with (P, S p ) differs by at most p °2^ from the 
probability it outputs 1 when interacting with (\I/ F ,F), where ^ is a 14-round Feistel construction, 
and F is a collection of 14 uniform random functions. 

We denote the scenario where D interacts with (P, S p ) by Si, and the scenario where D interacts 
with (\I/ F ,F) by S4. The scenarios S2 and S3 will be intermediate scenarios. 

3.2.1 Replacing the permutation with a random function 

Scenario S2 is similar to Si. However, instead of the simulator S we use the simulator T(/), 
and instead of a random permutation P we use a two-sided random function R(p). The differences 
between these systems are as follows: 



12 We may assume that D is deterministic, since we are only interested in the advantage of the optimal distinguisher, 
and for any probabilitstic distinguisher, the advantage can be at most the advantage of the optimal deterministic 
distinguisher. 
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Explicit randomness: We make the randomness used by the the simulator explicit. Whenever 
S sets Gi(xi) to a random value, T(/) takes it from /(i, xi) instead, where / is a table which 
contains an independent uniform random bitstring of length n for each i G {1,2,..., 14} and 
xi E {0, l} n . This modification does not change the distribution of the simulation, because it 
is clear that the simulator considers each entry of / at most once. 

As depicted in the pseudocode below, the randomness of the two-sided random function R(p) 
is also explicit: it is taken from xq, x\) or p(^ : x\±, #15), a table in which each entry is an 
independent uniform random bitstring of length 2n. 

Two-sided random function: We replace the random permutation P by a two-sided random 
function R(p) (see below for pseudocode). This function keeps a hashtable P which contains 
elements (^, xq,xi) and (t, #14, #15). Whenever the procedure R.P(xo, x\) is queried, R checks 
whether (^, xq,x{) E P, and if so, answers accordingly. Otherwise, an independent uniform 
random output (#14, #15) is picked (by considering p), and (^, xo,xi) as well as (t, #14, #15) 
are added to P, mapping to each other. 

Check procedure: The two-sided random function R has a procedure Check(xo, xi, X14, X15). 
It checks whether P maps (i, xo,xi) to (xi4,xi5), and if so, returns true. If not, it checks 
whether P maps (t, xu,xi$) to (xo,xi), and if so, returns true. Otherwise, it returns false. 
The simulator T(/) also differs from S in that T(/). Check simply calls R.Check. 

Pseudocode for T(/) can be obtained by using the boxed contents on the right hand side in the 
pseudocode of S instead of the corresponding line. For the two-sided random function R, the 
pseudocode looks as follows: 

System Two— sided random function R(p): 
Variables: 

Hashtable P 



public procedure P(xo,xi) 

if (^, xo, x\) ^ P then 

(xi4,xi 5 ) := p(i,xo,xi) 
P(|,x ,xi) := (xi4,xi 5 ) 
P(t,xi4,xi 5 ) := (x ,xi) 
return P(^, xq, x\) 

public procedure P _1 (xi4,xi5) 

if (t,xi4,xi 5 ) i P then 

(x ,xi) :=p(t,xi4,xi 5 ) 
P(l,x ,xi) := (£ 14, ^15) 
P(t,xi4,xi 5 ) := (x ,xi) 

return P(t, ^14, ^15) 



II (May overwrite an entry) 



If (May overwrite an entry) 



public procedure Check(xo, £1, £14, X15) 

if (I, xo, xi) E P then return P(|, xo, x{) = (X14, X15) 
if (t)#i4)£i5) £ P then return P(t, ^14,^15) = (^o,^i) 
return false 



We claim that for uniformly chosen (/,p), the probability that D outputs 1 in scenario S2 (/,£>) 

oly 

2 n 



differs only by pQ ^^ from the probability it outputs 1 in Si. For this, we first note that clearly the 
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simulator can take the randomness from / without any change. Secondly, instead of the procedure 
Check in the simulator S, we can imagine that the random permutation P has a procedure 



P. Check which is implemented exactly as in line 53 of S, and S. Check simply calls P. Check. 



The following lemma states that such a system P is indistinguishable from R as above, which 



then implies the claim. We prove the lemma in Section 3.3; the proof is neither surprising nor 
particularly difficult. 

Lemma 3.2. Consider a random permutation over 2n bits, to which we add the procedure Check 



as in line 53_ of the simulator S. Then, a distinguisher which issues at most q f queries to either 
the random permutation or to the two-sided random function R has advantage at most in 
distinguishing the two systems. 

Additionally, we will need that in S2 the number of queries made by the simulator is poly(g). 
This is given in the following lemma, which we prove in Section [3. 4| 



Lemma 3.3. In S2, at any point in the execution we have \G{\ < 6q 2 for all i. Furthermore, there 
are at most 6q 2 queries to both R.P ; and R.P _1 ; and at most 1296t/ 8 queries to R.Check. 



In order to prove Lemma 3.3, we can follow the elegant idea from |CPS08c| . Thus, while we 
give the proof for completeness, it should not be considered a contribution of this paper. It is in 
fact very similar to the corresponding proof in [Seu09] . 



3.2.2 Introducing a Feistel-construction 

In Ss(h), we replace the above two-sided random function R(p) by a Feistel construction &(h). For 
this, we use the following system: 

System 



Variables: 

Hashtable H\, . . . , H14 
Hashtable P 



private procedure F(i,Xi): 
if Xi £ Hi then 

Hi(xi) := h(i,Xi) 
return H{(xi) 

public procedure P(xq,xi) 
for i := 2 to 15 do 

Xi := Xi-2 © F(i - 
P(l,xo,x{) := (xi4,xi 5 ) 
P(t,xi4,xi 5 ) := (x ,xi) 
return (a; 14, x\s) 

public procedure P _1 (xi4,xi5) 
for i := 13 to step —1 do 

Xi := x i+2 © F(i + l,x i+ i) 
P(l,xo,xi) := (xi4,xi 5 ) 
P(t,xi4,xi 5 ) := (x ,xi) 
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return (xq, x\) 



public procedure Check(xo, xi, X14, X15) 

if (I, xo, x\) E P then return P(|, xo, xi) = (X14, X15) 
if (t 5 ^i4)^i5) £ P then return P(t, ^14,^15) = (^o,^i) 
return false 

We define S3(/i) to be the system where the distinguisher interacts with (^(/i), T(h)^^). Note 
that the randomness used by \I/ and T is the same, and we call it h. We show the following lemma 
in Section [331 

Lemma 3.4. The probability that a fixed distinguisher answers 1 in S2 for uniform random 
(f,p) differs at most by 8 ' 10 2n q from the probability that it answers 1 in Ss(h) for uniform ran- 
dom h. 

The proof of this lemma is the main contribution of this paper. A large part of the proof consists 
in showing that the simulator does not overwrite a value in calls to Force Val; this part is very 
different than the corresponding step in |CPS08c] . An interesting feature of the proof is that in a 
second part it directly maps pairs (f,p) to elements h = r{f 1 p) such that S2(/,p) and S^{h) behave 
the same for most pairs (/,£>), and the distribution induced by r is close to uniform. This part is 
also very different than |CPS08c| . 



3.2.3 Removing the simulator 

In S3, the distinguisher accesses the random functions through the simulator. We want to show 
that the distinguisher can instead access the random functions directly. 

Lemma 3.5. Suppose that in Ss(h) the simulator T(h) eventually answers a query F(z,x). Then, 
it is answered with h(i,x). 

Proof. The simulator T(/i) either sets Gi{x) \— h(i,x) or G{(xi) := x^_i ©x^ + i in a call to Adapt. 
For pairs (i,x) which are set by the first call the lemma is clear. Otherwise, consider the Adapt 
call: just before the call, the Feistel construction was evaluated either forward or backward in a call 
to \I/.P(xo,xi) or \I/.P -1 (xi4, X15). Since \I> evaluates P and P _1 with calls to /i, the value Gi(xi) 
must be h(i,x) as well. □ 



3.2.4 Indifferentiability 

We can now prove Theorem |3.1| which we restate here for convenience. 



Theorem |3.1[ The 14-round Feistel construction using 14 independent random functions is indif- 
ferentiable from a random permutation. 

Proof. Fix a distinguisher D which makes at most q queries. We want to show that D fails to 
distinguish Si = (P, S p ) from S4 = (\I/ F , F), and furthermore, that the simulator runs in polynomial 
time, except with negligible probability. 

Consider the system Si, where the distinguisher interacts with (P,S P ). If we replace P with 
the two-sided random function R as described above and the simulator S by T(/), then we obtain 
S2. According to Lemma [373] the number of queries the simulator makes in S2 to R is at most 



6<7 2 + 6<? 2 + 1296<f < 1400<f. Since Lemma |3.2| gives that the permutation is indistinguishable from 



a two-sided random function, we get for q' — 1400g that the probability that D outputs 1 differs 
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by at most < 21 %n m Si and S2. Furthermore, also by Lemma 3.2, with probability at 

least 1 — 2 ' 1 ^ 2n 9 , the first 1400g 8 queries and answers to P in Si and R in S2 are equivalent, so 
that the simulator is efficient (that is, it makes at most 1400g 8 queries) in Si with probability at 

2-loV 6 



least 1 



2 2n 



Now, the probability that D outputs 1 does not differ by more than 
Lemma 



•10 19 -g 10 



3.4 



Finally, since this implies that with probability 1 — 



IQlS.glO 



2 n 



in S2 and S3, by 
the distinguisher must 

give an answer in S3, we can also use Lemma [375] and get that the probability that the distinguisher 
answers 1 differs in S3 and S4 by at most 



2 n 



■10 1 



2 n 



Finally, from the above results, the probability that D outputs 1 in Si and S4 differs by at most 



2 • 10 7 • q 

2^T 
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+ 2 



10 iy . iu w zz . 

— — < 
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which implies the lemma. 



□ 



3.3 Equivalence of the First and the Second Experiment 

We now show that Si and S2 behave the same way, more concretely, that our two-sided random 
function R behaves as a uniform random permutation P. 

Lemma |3.2|, Consider a random permutation over 2n bits, to which we add the procedure Check 
as in line\5$ of the simulator S. Then, a distinguisher which issues at most q' queries to either 
the random permutation or to the two-sided random function R has advantage at most ^ n 
distinguishing the two systems. 

To prove the lemma, fix any deterministic distinguisher D that issues at most q r queries. Con- 
sider the following random experiment Eq: 

Experiment Eo: D interacts with P'(p), which is defined as follows: The procedures 
P'.P and P'.P -1 are the same as R.P and R.P -1 . The Check procedure is defined as 

1 public procedure P / (p).Check(xo, #1, #14, #15) 

2 if (^, xo, x\) £ P then return P(|, xo, x\) = (#14, £15) 

3 if (t, #14, #15) g P then return P(t 5 #i4 5 #i5) — (#o?#i) 

4 return P(xo,xi) = (#14,^15) / Note that the procedure P'.P is called! 

Finally, p is the table of a uniform random permutation (i.e., p(h xo, x\) — (#14, #15) if 
and only if x u , x 15 ) = (x , xi)). 

If we let D interact with P (adding a CHECK-procedure to P in the most standard way, i.e., as in 
the simulator S), then we get an experiment which behaves exactly as Eq. 

We next replace the table p of the random permutation by a table that has uniform random 
entries: 

Experiment E2: D interacts with P'(p), where the entries of p are chosen uniformly 
at random from {0, l} 2n . 

We will show that 

Lemma 3.6. The probability that D outputs 1 in Eq differs by at most from the probability 
that D outputs 1 m E2. 
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Finally we consider the experiment where D interacts with our two-sided random function. 



Experiment E3: D interacts with R(p), where the entries of p are chosen uniformly 
at random from {0, l} 2r \ 

The only difference between E2 and E3 is the change in the last line in the procedure Check. We 
show that E2 behaves almost as E3: 

Lemma 3.7. The probability that D outputs 1 in E2 differs by at most 5 ^2 from the probability 
that D outputs 1 in E3. 



Lemma 3.2 then follows immediately, as 



Pr[D outputs 1 in Eq] — Pr[D outputs 1 in E3] 



2^n 2 2n — 2 2r3 



We proceed to prove Lemmas |3.6| and 3.7 



Proof of Lemma \3l^ This proof is very similar to the proof that a (one-sided) random permutation 
can be replaced by a (one-sided) random function. 

We introduce the following intermediate experiment: 

Experiment Ei: D interacts with P ,, (p). In P", the procedure P".P is defined as 
follows: 

1 public procedure P // .P(xo,xi) 

2 if (4., xo, x\) ^ P then 

3 (^14,^15) :=p(1,xq,xi) 

4 if (t, X14, X15) E P then 

(xi4,x 15 ) {0,l} 2n \{(x / 14 ,x / 15 )|(t eP} 
e P(|,x ,xi) := (xi4,xi 5 ) 

7 P(t,^i4,^i5) := (xo,xi) 

s return P(|, xo, x\) 

The procedure P^.P -1 is defined analogously, i.e., picks (xo, x\) from and replaces it 
in case (|., xo, x\) E P. The procedure Check is defined as in P 7 . Check above. Finally, 
the entries of p are chosen uniformly at random from {0, l} 2n . 

First consider the transition from Eq to Ei. The procedure Check is the same in both experi- 
ments. Furthermore, a distinguisher can keep track of the table P and it is also the same in both 
experiments, and so we only need to consider the procedures P and P _1 : the procedure Check 
could be a part of the distinguisher. 

Now, in both experiments, the values chosen in the procedures P and P _1 are chosen uniformly 
at random from the set of values that do not correspond to an earlier query. Thus, Eo and Ei 
behave identically. 

Now consider the transition from Ei to E2. Consider Ei and let BadQuery be the event that in 
P we have (t, X14, X15) E P, or in P _1 we have (|, xo, xi) E P. We show that this event is unlikely, 
and that the two experiments behave identically if BadQuery does not occur in Ei. 

There are at most q f queries to P or P _1 in an execution of Ei, since each Check query issues 
at most one query to P. Observe that each table entry in p is accessed at most once and thus each 
time p is accessed it returns a fresh uniform random value. Since for each query there are at most q' 
values in P, and p contains uniform random entries, we have Pr [BadQuery occurs in Ei] < ^rr- The 
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systems Ei and E2 behave identically if BadQuery does not occur. Thus, Pr[D outputs 1 in Ei] — 
Pr[D outputs 1 in E2] < Pr p [BadQuery occurs in Ei] < □ 



Proof of Lemma\3.T\ The event BadCheck occurs for some p if P'. Check returns true in the last 



line in E2 in an execution using p. The event Bad Overwrite occurs for some p if either in E2 or in 



E3, in any call to P or P x , an entry of P is overwritten 13 The event BadBackwardQuery occurs if 



in E2 there exist (#0,^1), (#14, #15) such that all of the following hold: 

(i) The query P(#o,#i) is issued in the last line of a Check query, and P(],,xq,xi) is set to 
(x* 4 ,^ 5 ) =p(l,x ,xi). 

(ii) After (i), the query P (#14? #15)5 or the query Check(#o? #1, x\^ x^) is issued. 

(hi) The query P(#o,^l) is not issued by the distinguisher between point (i) and point (ii). 

We show that these events are unlikely, and that E2 and E3 behave identically if the events do not 
occur for a given p. 

For BadCheck to occur in a fixed call P / .Check(xo, #1, #14, X15), it must be that (j., xq, x\) ^ P 
and (t, #14, #15) ^ P- Thus, in the call P(xo,xi_) m the last line of Check, P(|, xq,x{) will be 
set to a fresh uniform random value p(],,xo,xi), and this value is returned by P. Therefore, the 
probability over the choice of p that P(xq,xi) = (#14, £15) is at most ^r. Since Check is called 
at most q f times, we see that Pr p [BadCheck] < 

We now bound the probability that BadOverwrite occurs in E2. This only happens if a fresh 
uniform random entry read from p collides with an entry in P. Since there are at most q' queries 
to P and P _1 and at most q f entries in P, we get Pr p [BadOverwrite occurs in E2] < ^r- The same 



argument gives a bound on BadOverwrite in E3, and so Pr p [BadOverwrite] < 2 ^>2 • 

We next estimate the probability of (BadBackwardQuery A -iBadCheck). Consider any pairs 
(#0? #1)5 (#*4? #15) such that (i) holds. Clearly, since BadCheck does not occur, the Check query 
returns false. Now, as long as none of the queries P(xo, #1), P _1 (x^ 4 , x\§) or Check(xo, x\,x\±, x\§) 
is done by the distinguisher, the value of (x\±,x\§) is independently chosen at random from all 
the pairs (#14, #15) for which Check(xo, #1, x' 14 , x' 15 ) was not queried. Thus, the probability that 
in a single query, the distinguisher queries one of P-Vm ,#15) or Check(xo, xi, x\ Al x\§) is at 
m ost 2 2n_ q / < f^r (assuming q f < ^~). Since there are at most q f Check queries, we find 

Pr p [(BadBackwardQuery A -BadCheck)] < ^Q^. 

We proceed to argue that if the bad events do not occur, the two experiments behave identically. 
Thus, let p be a table such that none of BadCheck, BadBackwardQuery, and BadOverwrite occurs. 

We first observe that the following invariant holds in both E2 and E3: after any call to P, P _1 or 
Check, if P{\,xq,x\) — (#14, #15) for some values (#0, #1, #14, #15)? then P(t 5 #i4 5 #i5) = (#o 5 #i) 5 
and vice versa. The reason is simply that no value is ever overwritten in the tables, and whenever 
P(t, •, •) is set, then P(|, •, •) is also set. 

Next, we argue inductively that for a p for which none of our bad events occur, all queries and 
answers in E2 and E3 are the same. 

For this, we start by showing that (under the induction hypothesis), if a triple xq,x\) is 
in P in the experiment E3, then the triple is in P in E2 as well, and both have the same image 
(#14, #15). This holds because of two reasons: first, in E3, each such entry corresponds to an answer 



13 It would actually be sufficient to consider the system E2 here, but we can save a little bit of work by considering 
both E2 and E3. 
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to a previously issued query to P or P _1 . This query was also issued in E2, and at that point the 
answer was identical, so that the entry P(^, xq, x\) was identical (this also holds if the response in E2 
is due to the entry P(t, ^14, ^15), because we saw above that this implies P(l, xo, x\) — (X14, X15)). 
Since the event BadOverwrite does not occur, the property will still hold later. (We remark that 
entries in the table P in E2 may exist which are not in E3.) 

We now establish our claim that all queries and answers of the distinguisher in E2 and E3 are 
the same. 

Consider first a P-query P(xo,xi). If (1,xq,xi) E P in E3, the previous paragraph gives the 
result for this query. If (i, xo,xi) ^ P in both E2 and E3, the same code is executed. The only 
remaining case is (^, xq, x\) E P in E2 and (^, xq, x\) ^ P in E3. The only way this can happen is if 
the query P(xo,xi) was invoked previously from a query to Check in E2, in which case the same 
entry p(l, xo, x\) was used to set P, and we get the result. 

Next, we consider a P _1 -query P _1 (x^ 4 , x\§). Again, the only non-trivial case is if (t, x^ 4 , x\§) E 
P in E2 and (t, x^ 4 , x\§) ^ P in E3. This is only possible if during some query to Check(xo, xi, •, •) 
in E2, the last line invoked P(xo,xi), and (x^ 4 ,x^ 5 ) = p(h xo,xi). Since it also must be that 
until now the distinguisher never invoked P(xo, xi) (otherwise, P(t, x^ 4 , x\§) — (xo, xi) in E3), this 
implies that the event BadBackwardQuery must have happened. 

Finally, consider a call Check(xo, xi, X14, X15) to Check. In case (|, xo,xi) E P in E3 and in 
case (i, xo,xi) ^ P in E2, line [20| behaves the same in both E2 and E3. If (i, xo,xi) E P in E2 and 
(I, xo,xi) ^ P in E3, then first in E3, Check returns false. In E2, Check can only return true if 
the event BadBackwardQuery occurs. 



The second if statement in Check (in E3 this is line 21 of R) can only return false in both E2 
and E3: otherwise, the first if statement in Check (in E3 this is line 20 of R) would already have 
returned true. This is sufficient, because the event BadCheck does not occur, and so the last line of 
Check in both systems also returns false. 
Thus, 

Pr[D outputs 1 in E2] — Pr[D outputs 1 in E3] 

p p 

< Pr[(BadCheck V BadOverwrite V BadBackwardQuery)] 

p 

g' 2( g ') 2 2(g') 2 5(g') 2 
- 2 2n 2 2n 2 2n ~ 2 2n ' 



3.4 Complexity of the Simulator 

In this section we show that the simulator is efficient in scenario S2. 

Lemma 3.8. Consider S2, and suppose that the distinguisher makes at most q queries. Then, the 
simulator dequeues at most q times a partial chain of the form (xi, X2, for which (xi, X2, 1) ^ 
CompletedChains . 

Proof. Consider such a dequeue call and let (xi,X2, be the partial chain dequeued for which 
(#1,2:2,1) ^ CompletedChains. A chain (xi,X2,l,^) is only enqueued when (xi, X2, £13, £14) is 
detected, and since neither Gi(xi) nor Gu(xi4) are ever overwritten, this means that we can 
find a unique 4-tuple (xo, #1, £14, £15) associated with (xi,X2,l) for which Check(xo, #i, X14, X15) 
was true at the moment (xi,X2, 1,1) was enqueued. We can now find a unique query to p which 
corresponds to (xo, #i, £14, £15): pick p(t, £14, £15) = (#o, x\) if this was a query and its answer, or 
otherwise p(^, xo,xi) = (xi4,xis). This table entry of p was accessed during a call to P or P _1 , 
and this call was made either by the distinguisher or the simulator. We argue that this call cannot 
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have been by the simulator. The simulator issues such calls only when it completes a chain, and 
after this completion, it adds {x\, xq © Gi(xi), 1) to CompletedChains, and so it cannot have been 
that (xi,X2, 1) ^ CompletedChains when it was dequeued. Thus, we found a unique query of the 
distinguisher associated with this dequeue call. Finally, note that after (xi,X2, 1) is completed by 
the simulator, (xi,X2,l) is added to CompletedChains. Thus, there are at most q such dequeue 
calls. □ 



Lemma 3.3| . Consider S2, and suppose that the distinguisher makes at most q queries. Then, at 
any point in the execution we have \G{\ < 6q 2 for all i. Furthermore, there are at most 6q 2 queries 
to both R.P, and R.P -1 , and at most 1296g 8 queries to R.Check. 

Proof. We first show that \Gj\ < 2q and \G$\ < 2q. Assignments ^7(^7) := /(7, £7) and Gg(xs) := 
/(8, xs) only happen in two cases: either when the distinguisher directly queries the corresponding 
value using F, or when the simulator completes a chain (#1, £2, 1,^) which it dequeued. There can 
be at most q queries to F, and according to Lemma [378] there are at most q such chains which are 
completed, which implies the bound. 

The set G{ can only be enlarged by 1 in the following cases: if the distinguisher queries F(z, •), if 
a chain of the form (xi, X2, 1, t) is dequeued and not in CompletedChains, or if a chain (#7, xs, 7, 1) 
is dequeued and not in CompletedChains. There are at most q events of the first kind, at most q 



events of the second kind (using Lemma 3.8), and at most \Gj\ • \G$\ < 4g 2 events of the last kind, 
giving a total of Aq 2 + 2q < Qq 2 . 

A query to R.P or R.P -1 can be made either by the distinguisher, or by the simulator when 
it completes a chain. At most q events of the first kind, and at most q + Aq 2 events of the second 
kind are possible. Thus, at most Qq 2 of these queries occur. The number of Check queries by the 
simulator is bounded by \G\ x G2 x G13 x Gu\ < (6g 2 ) 4 . □ 



3.5 Equivalence of the Second and the Third Experiment 



This section contains the core of our argument: We prove Lemma 3.4, which states that S2 
and Ss(h) have the same behaviour for uniformly chosen (f,p) and h. For most part of the analysis, 
we consider the scenario S2 We let G = (Gi, . . . , Gu) be the tuple of tables of the simulator 

T(/) in the execution. 



3.5.1 Partial chains 

Evaluating partial chains. A partial chain is a triple (x^, k) E {0, l} n x{0, l} n x{0, . . . , 14} 
Given such a partial chain C, and a set of tables T.G and R.P, it can be that we can move "for- 
ward" or "backward" one step in the Feistel construction. This is captured by the functions next 
and prev. Additionally, the functions val + and val - allow us to access additional values of the 
chain indexed by C, val + by invoking next, and val - by invoking prev. The function val finally 
gives us the same information in case we do not want to bother about the direction. 

Definition 3.9. Fix a set of tables G = T.G and P — R.P in an execution of S2 Let 
C = (x/e, k) be a partial chain. We define the functions next, prev, val + , val - , and val 
with the following procedures (for a chain C = A:), we let C[l] = C[2] = x^+i and 

C[3] = k): 

1 procedure next(x/e, k): 

2 if k < 14 then 

3 if ^ G/e + i then return _L 
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5 return (x k +i,x k + 2 , k + l) 

e else if k = 14 then 

7 if (t, #14, #15) ^ P then return _L 

s (x ,xi) := P(t,^14,^15) 

9 return (xq, xi, 0) 
10 

11 procedure piev(x k , x k +i, k): 

12 if k > then 

13 if x k ^ G/e then return J_ 

14 X/e_i := X fc+ i Gfc(Zfc) 

15 return (x k -i,x k , k — 1) 

16 else if fc = then 

17 if xo,xi) ^ P then return _L 

is (xi4,xi 5 ) := P(|,x ,xi) 

19 return (a; 14, X15, 14) 
20 

21 procedure val^(C) 

22 while (C ^ _L) A (C[3] ^ {i - 1, i}) do 

23 C := next ((7) 

24 if C = _L then return _L 

25 if C[3] — i then return C[l] else return C[2] 

26 

27 procedure val^~(C) 

28 while (C / 1) A (C[3] ^ {i - 1, i}) do 

29 C := prev(C) 

30 if C = _L then return _L 

31 if C[3] — i then return C[l] else return C[2] 

32 

33 procedure valj(C) 

34 if valf(C) ^ JL return val+(C) else return val^(C) 



We use the convention that _L ^ G{ for any z E {1, . . . , 14}. Thus, the expression val^(C) ^ 
means that valj(C) = _L or that val^(C) 7^ _L and val^(C) ^ G{. Furthermore, even though next 
and prev may return _L, according to our definition of partial chains, _L is not a partial chain. 



Equivalent partial chains We use the concept of equivalent partial chains: 

Definition 3.10. For a given set of tables G and P, two partial chains C and D are equivalent 
(denoted C = D) if they are in the reflexive transitive closure of the relations given by next and 
prev. 

In other words, two chains C and D are equivalent if C = or if D can be obtained by applying 
next and prev finitely many times on C. 

Note that this relation is not an equivalence relation, since it is not necessarily symmetric ^_ 
However, we will prove that for most executions of S2 it actually is symmetric and thus an 

14 The symmetry can be violated if in the two-sided random function R an entry of the table P is overwritten. 
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equivalence relation. Furthermore, it is possible that two different chains (xo,xi,0) and (yo,yi,0) 
are equivalent (e.g., by applying next 15 times). While we eventually show that for most executions 
of S2(/,p) this does not happen, this is not easy to show, and we cannot assume it for most of the 
following proof. 

3.5.2 Bad events and good executions 

As usual in indistinguishability proofs, for some pairs the system S2 does not behave as 

"it should". In this section we collect events which we show later to occur with low probability. 
We later study S2 (f,p) for pairs (f,p) for which these events do not occur. 

All events occur if some unexpected collision happens to one of the partial chains which can be 
defined with elements of Gi, . . . , G14 and P. 

Definition 3.11. The set of table-defined partial chains contains all chains C for which next(C) 7^ 
!_ and prev(C) ^ _L 

If C = (xk,Xk+i,k) for k E {1, . . . , 13}, then C is table-defined if and only if E Gk and 
x k+i £ Gk+i- For k E {0, 14}, C is table-defined if the "inner" value is in G\ or G14, respectively, 
and a corresponding triple is in P. 

Hitting permutations. Whenever we call the two-sided random function, a query to the table 
p may occur. If such a query has unexpected effects, the event BadP occurs. 

Definition 3.12. The event BadP occurs in an execution of S2 if immediately after a call 
(a; 14, X15) := p(h xo,xi) in line [7] of R we have one of 

• (t, £14,^15) € P, 

• xu E G14. 



Also, it occurs if immediately after a call (xq, x\) := £14, ^15) in line 14 of R we have one of 

• (|,x ,xi) E P, 

• x\ E G\. 



If BadP does not occur, then we will be able to show that evaluating P and P _1 is a bijection, since 
no value is overwritten. 

Chains hitting tables. Consider an assignment Gi(xi) := /(i, X{). Unless something unexpected 
happens, such an assignment allows evaluating next (C) at most once more. 

Definition 3.13. The event Badly Hit occurs if one of the following happens in an execution of 
S 2 (/,P): 

• After an assignment Gk{xk) '•— f(k,Xk) there is a table-defined chain x^+i, fc) such that 
prev(prev(x/e, xjc+i,k)) ^ _L. 

• After an assignment Gk{xk) '•— f(k,Xk) there is a table-defined chain (xk-i,Xk,k — 1) such 
that next (next (2^-1, x^, k — 1)) 7^ _L. 
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Furthermore, if the above happens for some chain C, and C is a chain equivalent to C before the 
assignment, we say that C badly hits the tables. 

We will later argue that the event Badly Hit is unlikely, because a chain only badly hits the tables 
if f(k,Xk) takes a very particular value. For this (and similar statements), it is useful to note that 
the set of table-defined chains after an assignment Gk(xk) f{k 1 Xk) does not depend on the value 
of as the reader can verify. 

Colliding chains. Two chains C and D collide if after an assignment suddenly val^(C) = val^(D), 
even though this was not expected. More exactly: 

Definition 3.14. Let G and P be a set of tables, let xj~ £ and consider two partial chains 
C and D. An assignment Gk{xk) '•— V badly collides C and D if for some i E {0, . . . , 15} and 
a, p E {+, — } all of the following happen: 

• Before the assignment, C and D are not equivalent. 

• Before the assignment, val^(C) = _L or val^(-D) = _L. 

• After the assignment, val^(C) = val^(-D) ^ _L. 

We say that the event BadlyCollide occurs in an execution S2 (/,£>), if an assignment of the form 
Gi(xi) := f(i, Xi) makes two partial chains badly collide, and the two chains are table-defined after 
the assignment. 

Finally, we say that a pair (f,p) is good if none of the above three events happen in an execution 
ofS 2 (/,p). 

3.5.3 Bad events are unlikely 

In this subsection we show that all the bad events we have introduced are unlikely. 
Hitting permutations 

Lemma 3.15. Suppose that S2 is such that for any (f,p) the tables satisfy \Gi\ <T for all 
i and \P\ < T at any point in the execution. Then, the probability over the choice of (f,p) of the 
event BadP is at most 

Proof. For any query to only 2 events are possible. In both cases, these events have probability 
at most 7^. Since at most T positions of p can be accessed without violating \P\ < T we get the 
claim. □ 

Chains hitting tables. We now show that the event Badly Hit is unlikely. 

Lemma 3.16. Suppose that S2 is such that for any (f,p) the tables satisfy \G{\ < T for all 
i and \P\ < T at any point in the execution. Then, the probability over the choice of (f,p) of the 
event BadlyHit is at most 30^-. 
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Proof. We first bound the probability of the first event, i.e., that after the assignment Gk(%k) '•— 
f(k,Xk) there is a table-defined chain C — {x^, k) such that prev(prev(C)) 7^ _L. This can 
only happen if © Gk(%k) has one of at most T different values (namely, it has to be in Gk-i 
in case 14 > k > 2 or in P together with x\ in case k = 1). Thus, for fixed Xk+i E Gk+i the 
probability that prev(prev(C)) 7^ _L is at most T/2 n . Since there are at most T possible choices 
for x/c+i (this also holds if k = 14) the total probability is at most T 2 /2 n . 

The analogous probability for next is exactly the same and thus the probability of Badly Hit for 
one assignment is at most 2 • T 2 /2 n . In total, there are at most 14 • T assignments of the form 
Gk(xk) '= f(k,x k ), and thus the probability of BadlyHit is at most 28T 3 /2 n . □ 



Colliding chains We next show that it is unlikely that chains badly collide. First, we give a 
useful lemma which explains how the chains behave when they do not badly hit G: only one value 
vali(C) can change from 1 to a different value. 

Lemma 3.17. Consider a set of tables G and P, x k £ G k , fix a partial chain C , and suppose that 
C does not badly hit the tables due to the assignment Gk(xk) '= f(k,Xk). Then, for each chain C 
and each a E {+, — } there is at most one value i such that valf (C) differs after the assignment from 
before the assignment. Futhermore, if some value changes, then it changes from J- to a different 
value, and 

k + 1 if a = + 
k — 1 if a = — , 

and val£(C) = x& before the assignment. 

Proof. We give the proof for a = +, the other case is symmetric. First, we see that if val^(C) 7^ _L 
before the assignment, then it does not change due to the assignment. This follows by induction 
on the number of calls to next in the evaluation of val + , and by noting that Gk(xk) '= f(k,Xk) is 
not called if x& E Gk in the simulator. 

Thus, suppose that val^(C) = _L This means that during the evaluation of valf(C) at some 
point the evaluation stopped. This was either because a queried triple was not in P, or because 
a value Xj was not in Gj during the evaluation. In the first case, the evaluation of val^(C) will 
not change due to an assignment to Gk{xk)- In the second case, the evaluation can only change 
if it stopped because val^(C) = x^. Then after the assignment, val^ +1 (C) will change from _L to 
a different value. Since C does not badly hit the tables under the assignment, val^ +1 (C) ^ G/c+i 
after this assignment (in case k + 1 < 15), and (t, val^(C), val^(C)) ^ P (in case k + 1 = 15). 
Thus, there is only one change in the evaluation. □ 

Instead of showing that BadlyCollide is unlikely, it is slightly simpler to consider the event 
(BadlyCollide A ^BadlyHit A ^BadP). 

Lemma 3.18. Suppose that S2 (/,£>) is such that for any (f,p) the tables satisfy \G{\ < T for all 
i and \P\ < T at any point in the execution. Then, the probability of the event (BadlyCollide A 
-nBadlyHit A ^BadP) is at most 15 000^. 

Proof. If the event (BadlyCollide A -> BadlyHit A-iBadP) happens for a pair then there is some 

point in the execution where some assignment Gk{xk) '= f(k,Xk) makes a pair (C,D) of partial 



chains collide as in Definition 3.14, After this assignment, both (C,D) are table defined, and 
valf(C) = val£CD). 

We distinguish some cases: first suppose that valj(C) = valJ(D) = _L before the assign ment 
and val^T(C) = valJ(D) ^ _L after the assignment. Since BadlyHit does not happen, Lemma 3.17 
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implies that before the assignment, val^ j _ 1 (C) = val^ j _ 1 (Z?), and furthermore £ + 1 E {1, . . . , 14}. 
Also, since C ^ D before the assignment, it must be that before the assignment val^ 2 (C) ^ 
val^_ 2 (D). However, this implies that valj(C) ^ vslJ(D) after the assignment. Therefore, this 
case is impossible and has probability 0. 

Next, we consider the case val^(C) = _L, valJ(D) ^ _L before the assignment, and val^(C) = 
val^"(Z?) after the assignme nt. Sin ce D is table defined after the assignment, and we assume BadlyHit 
does not occur, by Lemma 3.17 the value val^~(-D) does not change due to the assignment. Since 



val^(C) = val^_ 2 (C) © G^ + i(a^ + i), and G^ + i(x,£ + i) is chosen uniformly at random, the probability 
that it exactly matches val^~(-D) is 2~ n . 

The next two cases are similar to the previous ones, we give them for completeness. The first of 
these two is that val^~(C) = val^~(-D) = _L before the assignment, and val^~(C) = val^~(D) ^ JL after 



the assignment. However, due to Lemma |3.17| this is impossible: we would need both k — £ + 1 
and k = £ — 1 for both values to change as needed. 

Then, we have the case that _L = val^~(C) ^ valJ(D) before the assignment, and valj"( C) — 
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valJ(D) after the assignment. Again, valJ(D) does not change by the assignment due to Lemma 
and also similarly to before, the probability that val^ 2 (C) © f(£ — 1, val^"_ 1 (C)) = val^Z?) is 2 

Bounds on the probability of the the 4 remaining cases follow by symmetry of the construction. 

There are 4 possibilities for the values of a and p. As previously, there can be at most 14 • T 
assignments of the form Gk(xk) '= For each assignment, there are at most 15 • T 2 

possibilities for a chain to be table-defined before the assignment. Since the chains that are table- 
defined after the assignment, but not before must involve there are at most 2 • T possibilities 
for a fixed assignment. Thus the probability of the event (BadlyCollide A —•BadlyHit A -nBadP) is at 

mogt 444^(15^+2^ < ±1±^I1_ ' D 

Most executions are good We collect our findings in the following lemma: 

Lemma 3.19. Suppose that S2 is such that for any the tables satisfy \G{\ < T for all i 

and \P\ < T at any point in the execution. Then, the probability that a uniform randomly chosen 
(f->p) i s n °t 9°°d i s a t most 16 000 • 



Proof This follows immediately from Lemmata 3.15, 3.16, and 3.18 □ 



3.5.4 Properties of good executions 

We now study executions of S2 (/,£>) with good pairs (/,£>). One of the main goals of this section is 



to prove Lemma 3.28, which states that no call to ForceVal overwrites a previous entry. However, 



we later also use Lemma |3.29| (in good executions, evaluating the Feistel construction for a pair 
(xq, x\) leads to P(xq, x\) — if not, it would be silly to hope that our simulator emulates a Feistel 



construction), and Lemma [3.30 (the number of times Adapt is called in T(/) is exactly the same 



as the number of times the table p is queried in R(p)). 
We first state two basic lemmas about good executions: 

Lemma 3.20. Consider an execution of S2( f,p) with a good pair (f,p). Then, we have 

(a) For any partial chain C, z/next(C) = _L before an assignment Gi(xi) := f{i,xi) or a pair of 
assignments to P in R ; then if C is table-defined after the assignment(s), next (next (C)) = _L. 

For any partial chain C, if prev(C) = _L before an assignment Gi{xi) := f(i,xi) or a pair of 
assignments to P in R ; then if C is table-defined after the assignment(s) , prev(prev(C)) = _L. 
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(b) For all partial chains C and D, we have next(C) = D prev(L>) = C . 

(c) The relation = between partial chains is an equivalence relation. 

Proof. For assignments of the form Giixi) := /(z,^), (a) follows directly since BadlyHit does not 
occur. For the assignments to P, it follows because BadP does not occur. 

The statement (b) is trivial for chains C = (x&, k) with k E {0, . . . , 13}, since evaluating 
the Feistel construction one step forward or backward is bijective. For k = 14 we get (b) because 
BadP does not occur: no value is ever overwritten in a call to P or P _1 , and thus evaluating P and 
P _1 is always bijective. 

To see (c), observe that the relation = is symmetric because of (b), and it is reflexive and 
transitive by definition. □ 

Lemma 3.21. Consider an execution o/S2(/,p) with a good pair Suppose that at any point 

in the execution, two table- defined chains C and D are equivalent. Then, there exists a sequence of 
partial chains Ci, . . . , C r , r > 1, such that 

• C = C\ and D — C r , or else D = C\ and C — C r , 

• Ci — next(Ci_i) and C\-\ — piev(Ci), 

• and each Ci is table-defined. 

Proof. Since C = D, D can be obtained from C by applying next and prev finitely many times. A 



shortest such sequence can only apply either next or prev, due to Lemma 3.20| (b). The resulting 



sequence of chains is the sequence we are looking for (possibly backwards) - note that the last 



bullet point also follows by Lemma 3.20| (b). □ 



We first show that assignments Gi(xi) := f(i,Xi) and also assignments to P in R do not change 
the equivalence relation for chains which were defined before. 

Lemma 3.22. Consider an execution of S2(/,p) with a good pair Let C and D be two 

table-defined partial chains at some point in the execution. Suppose that after this point, there is 
an assignment Gi(x{) := f(i,Xi) or a pair of assignments to P in R. Then C = D before the 
assignment(s) if and only if C = D after the assignment (s). 



Proof. Suppose that C = D before the assignment. We apply Lemma |3.21 to get a sequence 



Ci,...,C r of table-defined chains. This sequence still implies equivalence after the assignment, 
since no value in P or G can be overwritten by one of the assignments considered (recall that BadP 



does not occur), i.e. the conditions of Definition 3.10 still hold if they held previously, thus C = D 
after the assignment (s). 

Now suppose that C and D are equivalent after the assignment. Again consider the sequence 



Ci, . . . , C r as given by Lemma 3.21, Suppose first that the assignment was Gi(xi) := f{i,xi). If 
xi was not part of any chain, then Ci, . . . , C r are a sequence which show the equivalence of C and 
D before the assignment. Otherwise, there is j such that the chains Cj-i and Cj have the form 
Cj-i = (xi-i,Xi,i — 1) and Cj = (x^,x^ + i,z). It is not possible that Cj = C r , as Cj is not table- 
defined before the assignment. After the assignment next (next (Cj-i)) ^ _L which is impossible by 



Lemma 3.20| (a). Suppose now we have a pair of assignments to P, mapping {xq,x\) to (#14, #15) 



If (xi4,xi5,14) is not part of the sequence connecting C and D after the assignment, the same 
sequence shows equivalence before the assignment. Otherwise, next (next {x 14, x\§, 14)) = _L by 



Lemma 3.20| (a), as before. □ 
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Next, we show that calls to Force Val also do not change the equivalence relation for previously 
defined chains. Also, they never overwrite a previously defined value. However, we only show this 
under the assumption X£-\ ^ G^-i and X£+2 ^ G\£+2- Later, we will see that this assumption is 
safe. 

Lemma 3.23. Consider an execution of S2 (/,£>) with a good pair (f,p). Let £ E {4, 10} and suppose 
that for a call Adapt(:z^_2, 2^-1, 2^+2? ^+3? £) it holds that X£_\ £ Gi-\ and X£+2 £ before 
the call. 

Then, the following properties hold: 

(a) For both calls ForceVal(x, •, j) we have x £ Gj before the call. 

(b) Let C be a table-defined chain before the call to Adapt, i E {1, . . . , 14}. Then, vali(C) stays 
constant during both calls to Force Val. 

(c) If the chains C and D are table-defined before the call to Adapt, then C = D before the calls 
to Force Val if and only if C = D after the calls to Force Val. 

Proof. Before Adapt is called, EvaluateForward and EvaluateBackward make sure that all 
the values X£-2, • • • , #15 > • • • 5 #£+3 5 %£+2 corresponding to (x^_2, X£-\,£ — 2) are defined in 



P and G. By Lemma 3.20| (b) and (d), all partial chains defined by these values are equivalent to 

(xt-2,X£-i,£- 2). 

By our assumption, ^ G^-i and X£+2 ^ G^+2, and thus the procedure Adapt defines 

Gi-i(x£_i) := /(^ — l,X£-i) and 6^+2(2^+2) : = /(^ + 2,2^+2)- These assignments lead to X£ £ Gi 
and ^ G^+i, as otherwise the event Badly Hit would occur. This shows (a). 

We next show (b), i.e., for any C the values val^(C) stay constant. For this, note first that this 
is true for table-defined chains C that are equivalent to (2^-2, 2^-1, £ — 2) before the call to Adapt: 
vali gives exactly X{ both before and after the calls to ForceVal. 

Now consider the table-defined chains that are not equivalent to (x£-2,X£-i,£ — 2) before the 
call to Adapt. We show that for such a chain C, even val^(C) and val^(C) stay constant, as 
otherwise BadlyCollide would occur. A value valf (C) can only change during the execution of 
ForceVal(x^, -,£) if valJ(C) = X£. But this implies that the assignment G(x£-i) := f{£— l,x^_i) 
in Adapt made the two partial chains C and {x£-2,X£-\,£ — 2) badly collide. For this, note 
that C is table-defined even before the assignment, since it was table-defined before the call to 
Adapt. Moreover, {x£-2,X£-\,£ — 2) is table-defined after the assignment. The argument for 
ForceVal(x^ + i, -,£ + 1) is the same. Thus, this establishes (b). 

We now show (c). First suppose that C = D before the calls to ForceVal. The sequence of 



chains given by Lemma 3.21 is not changed during the calls to ForceVal, since by (a), no value 
is overwritten. Thus, the chains are still equivalent after the calls. 

Now suppose that C = D after the calls to ForceVal. Let Ci, . . . , C r be the sequence given 



by Lemma |3.21[ If C and D were not equivalent before the calls to ForceVal, there is i such that 
before the call, C{ was table defined, but C^+i was not. Then, val + (C^) changes during a call to 
ForceVal, contradicting the proof of (b). Thus, the chains must have been equivalent before the 
calls. □ 

Equivalent chains are put into CompletedChains simultaneously: 

Lemma 3.24. Suppose that (f,p) is good. Fix a point in the execution of S2 and suppose 
that until this point, for no call to ForceVal of the form ForceVal(x, -,£) we had x E Gi before 
the call. Suppose that at this point C = (xk,Xk+i,k) with k E {1,7} and D = (j/mj 2/m+ij m ) with 
m E {1, 7} are equivalent. Then, C E CompletedChains if and only if D E CompletedChains. 
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Proof. We may assume k = 1. We first show that the lemma holds right after C was added to 
CompletedChains. Since the chain was just adapted, and using Lemma |3.20| (b) and (d), the only 
chains which are equivalent to C are those of the form (valj(C), vali+i(C), i). Thus both C and D 
are added to CompletedChains, and D is the only chain with index vn — 1 that is equivalent to C. 

Now, the above property can only be lost if the event BadP occurs or else if a value is overwritten 
by ForceVal. Thus, we get the lemma. □ 

If the simulator detects a chain (xg, xio, 9) for which val + is defined for sufficiently many values, 
a chain equivalent to it was previously enqueued: 

Lemma 3.25. Consider an execution of S2( f,p) with a good pair (/,£>). Suppose that at some 
point, a chain C = (x7,xg,7) is enqueued for which vaKj^C) E G2 or val^ 3 (C) E G 13(C). Then, 
there is a chain equivalent to C which was previously enqueued. 

Proof. We only consider the case vaKj^C) E G25 the other case is symmetric. Define (xo, #1, #2 3 X13, 
^14,^15) '= (valo"(C), val^(C), val^C), val^(C), val^(C), val^(C)). All these must be different 
from J_, since otherwise vaKj^C) = _L. 

At some point in the execution, all the following entries are set in their respective hashtables: 
Gi(xi), G2OZ2), ^13(^13), Gu(xu), and P(t? ^14, ^15). The last one of these must have been ^2(^2) 
or Gis(xis): if it was P(t ? ^14, ^15), then the event BadP must have happened. If it was G\(x\), 
then the event BadlyHit must have happened (as (xq,xi,0) is table-defined after the assignment). 
Analogously, (^14(^14) cannot have been the last one. Thus, since 6^2(^2) or G\%(x\z) was defined 
last among those, the simulator will detect the chain and enqueue it. □ 

If a chain C is enqueued for which previously no equivalent chain has been enqueued, then the 
assumptions of Lemma |3.23| actually do hold in good executions. We first show that they hold at 



the moment when the chains are enqueued (Lemma 3.26), and then that they still hold when the 



chains are dequeued (Lemma 3.27). 



Lemma 3.26. Consider an execution of S2( f,p) with a good pair (f,p). Let C be a partial chain 
which is enqueued in the execution at some time and to be adapted at position £. Suppose that at 
the moment the chain is enqueued, no equivalent chain has been previously enqueued. 

Then, before the assignment Gk(%k) '•— f(k,%k) happens which just preceds C being enqueued, 
val^_i(C) = _L and val^ + 2(C) = _L 

Proof. We have i E {4, 10}. We will assume £ = 4, and due to symmetry of the construction, this 
also implies the lemma in case £ = 10 for the corresponding rounds. 

The assignment sets either the value of Gj(xj) or 6^2(^2) uniformly at random (otherwise, 
enqueueNewChains is not called in the simulator). Consider first the case that ^2(^2) was 
just set. Then, before this happened, val^(C) = _L, since X2 ^ G^- Furthermore, valg (C) = J_, 
since otherwise, vaLjT(C) E G7, and then (val^ (C), val^~(C), 7) would be an equivalent, previously 
enqueued chain. This implies the statement in case 6^2(^2) is just set. The second case is if 
Gy(xy) was just set. Then, before the assignment, valg (C) = J_, as X7 £ G 7: and val+(C) = _L, 
since otherwise val^C) E G2 and so an equivalent chain would have been previously enqueued, 
according to Lemma |3.25| □ 

Lemma 3.27. Consider an execution of S2(f,p) with a good pair (f,p). Let C be a partial chain 
which is enqueued in the execution at some time and to be adapted at position £. 

Then, at the moment C is dequeued, it holds that C E CompletedChains ; or that (val^_i(C) ^ 
Gt-{) A(val^ +2 (C) <£G £ + 2 ). 
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Proof. Suppose that the lemma is wrong, and let C be the first chain for which it fails. Because this 
is the first chain for which it fails, Lemma 3.23[ a) implies that until the moment C is dequeued, no 



call to ForceVal overwrote a value. Now, consider the set £ of table-defined chains at some point 



in the execution that is not in an Adapt call, and before C is dequeued. Because of Lemmas 3.22 



and 3.23[ c), the equivalence relation among chains in (£ stays constant from this point until the 



moment C is dequeued. 

We distinguish two cases to prove the lemma. Consider first the case that at the moment C 
is enqueued, an equivalent chain D was previously enqueued. The point in the execution where 
C is enqueued is clearly not in an Adapt call, and both C and D are table-defined. Then, at 



the moment C is dequeued, clearly D G CompletedChains. Thus, because of Lemma |3.24| and the 
remark about equivalence classes of £ above, this implies that C E CompletedChains when it is 
dequeued. 

The second case is when C has no equivalent chain which was previously enqueued. To simplify 
notation we assume £ = 4 and show vals(C) ^ G3, but the argument is completely generic. From 



Lemma [3.26 we get that before the assignment which led to C being enqueued, vai3(C) = _L If 
vai3(C) E Gs at the time C is dequeued, it must be that Gs(ySih(C)) was set during completion 
of a chain D. This chain D was enqueued before C was enqueued, and dequeued after C was 
enqueued. Also, at the moment C is dequeued, vals(C) = val3(D). From the point C is enqueued, 
at any point until C is dequeued, it is not possible that C = D: We assumed that there is no chain 
in the queue that is equivalent to C when C is enqueued, and at the point C is enqueued both C 
and D are table-defined. Furthermore, this point in the execution is not during an Adapt call. 
Therefore, by our initial remark, the equivalence relation between C and D stays constant until 
the moment C is dequeued. 

Consider the last assignment to a table before vals(C) = val3(D) 7^ _L was true. We first 
argue that this assignment cannot have been of the form Gi(xi) := /(i, Xi), as otherwise the event 
BadlyCollide would have happened. To see this, we check the conditions for BadlyCollide for C and 
D. The chain D is table-defined even before the assignment, since it is in the queue. The assignment 
happens earliest right before C is enqueued, in which case C is table-defined after the assignment. 
If the assignment happens later, C is table-defined even before the assignment. Furthermore, we 
have already seen that C = D is not possible. Clearly, vai3(C) = _L or val3(Z?) = _L before the 
assignment, and vals(C) = vsls(D) 7^ _L after the assignment. 

The assignment cannot have been of the form P(^xq,xi) = (#14, #15) or P(t, ^14,^15) = 
(xq,xi), since val can be evaluated at most one step further by Lem ma |3.20| (a). Finally, the 



assignment cannot have been in a call to ForceVal, because of Lemma 3.23 ^b). 

Thus, val3(C) ^ Gs when C is dequeued, and the same argument holds for the other cases as 
well. □ 

The following lemma is an important intermediate goal. It states that the simulator never 
overwrites a value in G in case is good. 

Lemma 3.28. Consider an execution of S2(/,p) with a good pair (/,£>). Then, for any call to 
ForceVal of the form ForceVal(x, •,£) we have x £ Gt before the call. 

Proof. Assume otherwise, and let C be the first chain during completion of which the lemma fails. 
Since the lemma fails for C, C ^ CompletedChains when it is dequeued. Thus, Lemma [3 . 27| implies 
that vai£_i(C) ^ Gg-\ and val^ + 2(C) ^ when C is dequeued, and so by Lemma |3.23[ a) we 

get the result. □ 

We say that a distinguisher completes all chains, if, at the end of the execution, it emulates a 
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call to EvaluateForward(xo, xi, 0, 14) for all queries to P(xo,xi_) or to (xo,xi) = P 1 {xi±,xi§) 
which it made during the execution. 

Lemma 3.29. Consider an execution of f,p) with a good pair (f,p) in which the distinguisher 
completes all chains. Suppose that during the execution P(^xo,xi) is queried. Then, at the end 
of the execution it holds that P(],,xq,xi) = (val^ 4 (xo, 0), val^" 5 (xo, 0)) ; and P(t;^i4 5 ^i5) — 
(valg (xi4,xi 5 , 14), val^(xi4,a;i5, 14)). 

Proof. If the query P(^, xq,xi) was made by the simulator, then this was while it was completing 



a chain. Then, right after it finished adapting we clearly have the result. By Lemma [3^28] no value 
is ever overwritten. Since the event BadP does not occur, the conclusion of the lemma must also 
be true at the end of the execution. 

Consider the case that P(],,xq,xi) was a query by the distinguisher. Since it eventually issues 
the corresponding Feistel queries, it must query the corresponding values xj and x% at some point. 
Thus, X7 E G7 and xg E G% at the end of the execution. One of the two values was defined later, 
and in that moment, (x7,xs,7) was enqueued by the simulator. Thus, it is dequeued at some 
point. If it was not in CompletedChains at this point, it is now completed and the conclusion of 
the lemma holds right after this completion. Otherwise, it was completed before it was inserted 
in CompletedChains, and the conclusion of the lemma holds after this completion. Again, by 
Lemma [3.28 no value is ever overwritten, and again BadP never occurs, hence the conclusion also 



holds at the end of the execution. □ 

Lemma 3.30. Consider an execution of S2 (/,£>) with a good pair (f,p) in which the distinguisher 
completes all chains. Then, the number of calls to Adapt by the simulator equals the number of 
queries to •, •) made by the two-sided random function. 

Proof. Since the event BadP does not occur, the number of queries to •) equals half the number 
of entries in P at the end of the execution. 

For each call to Adapt, there is a corresponding pair of entries in P: just before Adapt was 
called, such an entry was read either in EvaluateForward or EvaluateBackward. Further- 
more, for no other call to Adapt the same entry was read, as otherwise a value would have to be 



overwritten, contradicting Lemma 3.28 



For each query to •, •), there was a corresponding call to Adapt: if the query to p occurred 
in a call to P by the simulator, then we consider the call to Adapt just following this call (as 
the simulator only queries P right before it adapts). If the query to p occurred in a call by the 
distinguisher, the distinguisher eventually queries the corresponding Feistel chain. At the moment 
it queries G%{x%), we find the first chain which is equivalent to (x7,xs,7) at this point and was 
enqueued. This chain must have been adapted accordingly. □ 



3.5.5 Mapping randomness of S2 to randomness of S3 

We next define a map r which maps a pair of tables (f,p) to a partial table h, where a partial table 
h : {1, . . . , 14} x {0, l} n 1 y {0, l} n U {_L} either has an actual entry for a pair (i, x), or a symbol 
_L which signals that the entry is unused. This map will be such that S2 and Ss(r(f,p)) have 
"exactly the same behaviour" . 

Definition 3.31. The function h = r(/,p) is defined as follows: Run a simulation of S2(/,p) in 
which the distinguisher completes all chains. If /(i, x) is read at some point, then h(i, x) := /(i, x). 
If f(i,x) is never read, but for some y a call ForceVal(z, x, y) occurs, then h(i,x) := y for the 
first such call. If /(i, x) is never read and no such call to ForceVal occurs, then h(i, x) \— _L. 
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Lemma 3.32. Suppose h has a good preimage. Consider any execution of Ss(h) and suppose 
the distinguisher completes all chains. Then, Ss(h) never queries h on an index (i,x) for which 
h(i,x) = _L Furthermore, the following two conditions on (f,p) are equivalent: 

(1) The pair (f,p) is good and r(f,p) = h. 

(2) The queries and answers to the two-sided random function in ^{f^p) are exactly the same as 
the queries and answers to the Feistel construction in S^{h); and h{i,x) — f(i,x) for any query 
(i,x) issued to f or h by the simulator. 

Proof. We first show that (1) implies (2). Thus, because the distinguisher is deterministic, we need 
to show the following: 

• When the simulator sets Gi(xi) := f(i,Xi) in S2(/,p), respectively Gi(xi) := h(i,Xi) in Ss(h), 
the two values are the same. 

• When the simulator queries P(xo, x\) or P _1 (xi4, £15) it gets the same answer in S2(/,p) and 
S 3 (h). 

The first bullet is obvious, because if the simulator ever sets Gi(xi) := f(i, xi) in S2(/,p), then h 
will be set accordingly by definition of r. 

Thus, we consider a query to P(xo,xi) (queries to P _1 are handled in the same way). Recall 
that we assume that the distinguisher completes all chains. Because of Lemma 3.29[ the answer 



of the query to P is exactly what we obtain by evaluating the Feistel construction at the end 
in experiment S2. But each query in the evaluation of the Feistel construction was either set as 
Gi(xi) := f(i,Xi) or in a ForceVal call, and in both cases the values of h must agree, since in 



good executions no value is ever overwritten (Lemma 3.28). Thus, the query to P is answered by 
the Feistel in the same way. 

We now show that (2) implies (1). Assume now that (2) holds. Let {fhiPh) be a good preimage 
of /i, i.e., a pair satisfying (1). We know already that condition (2) holds for (fhiPh), an d because 
we assume that it holds for (/,£>), we see that in the two executions S2(fh,Ph) and S2 (/,£>) all 
queries to the two-sided random function are the same, and also the entries f(i,x) and fh(i,x) 
for values considered match. This implies that (/,£>) must be good. Furthermore, this implies 
r(f,p) = r(f h ,p h ). 

Finally, we argue that Ss(h) never queries h on an index (z, x) for which h{i, x) — _L Let (fh,Ph) 
be a good preimage of h. Clearly (1) holds for h and {fhiPh)i which implies (2) as shown above. 
Thus, it cannot be that a query to h in Ss(h) returns _L, as otherwise the answers in S2(fh,Ph) an d 
S 3 (h) would differ. □ 

Lemma 3.33. Suppose h has a good preimage. Pick (f,p) uniformly at random. Then, 

Pr[(/,p) is good A r(f,p) = h] = 2~ n ^, (1) 

where \h\ is the number of pairs (i,x) for which h(i,x) ^ _L 

Proof. Let (fh,Ph) be a good preimage of h. With probability 2~ n ^ all queries in S2(/,p) are 
answered exactly as those in S2(fh,Ph) : every query to / is answe red th e same with probability 
2 _n , and every query to p with probability 2~ 2n . Because of Lemma 3.30 the number \h\ of non-nil 



entries in h is exactly the number of queries to / plus twice the number of queries to p. □ 



Lemma 3.4, The probability that a fixed distinguisher answers 1 in S2 (/,£>) for uniform random 

^19.^10 



differs at most by 8 ' 1Q 2n ' 9 from the probability that it answers 1 in Ss(h) for uniform random 
h. 
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Proof. First, modify the distinguisher such that for each query to P(xo,xi) or to (xo,xi) = 
P -1 (xi4, X15) which it made during the execution (to either the two-sided random function in 
S2 or the Feistel construction in S3), it issues the corresponding Feistel queries to F in the end (i.e., 
it emulates a call to EvaluateForward(xo, x\, 0, 14)). This increases the number of queries of the 
distinguisher by at most a factor of 14. Furthermore, any unmodified distinguisher that achieves 
some advantage will achieve the same advantage when it is modified. 

Consider now the following distribution over values /i*, which are either tables for Sz(h*) which 
contain no entry _L, or special symbols _L To pick an element /i*, we pick a pair (f,p) uniformly 
at random. If (f,p) is good, we compute h := t(/,p) and set each entry of h with h(i,x) = JL 
uniformly at random. The result is h*. If (f,p) is not good, we set h* = _L Let H be the random 
variable that takes values according to this distribution. 

We now claim that the probability that any fixed table h* ^ JL is output is at most 2 _n l /l *L 
To prove this, we first show that it cannot be that two different values h which both have a 
good preimage can yield the same h*. Towards a contradiction assume that h and h! are different 
and both have a good preimage, and they yield the same h*. Let (fh,Ph) an d (fh'iPh') be good 



preimages of h and hi respectively. Then, Lemma 3.32 item (2) implies that the queries and 



answers in ^{fhiPh) an d ^s(h) are the same. Furthermore, since Ss(h) never queries h on an index 



(i,x) where h{i,x) — JL (Lemma 3.32), we get that the queries and answers in Ss(h) and Ss(h*) 
are the same. Arguing symmetrically for {fh'iPh')i we see that the queries and answers in S^{h!) 
and Ss(h*) are the same, and so the queries and answers in S2(fhiPh) an d ^(fh'iPh') must be the 
same. But by definition of r, this implies that h = h f ', a contradiction. 

We now calculate the probability of getting a fixed table h* ^ _L. In the first case, suppose 
there exists h with a good preimage that can lead to h*. Let p be the randomness that is used to 
replace the _L entries in h by random entries. We have 

Pr [H = h*] = Pr is good Ah = r(/,p) can lead to h* A filling with p leads to h*]. 

(f,p),p (f,p),p 

Now, as we have seen, no two different values for h can yield the same h* . Thus, we can assume 
that h* = (h, p*), where h is the unique table that leads to h*, and p* stands for the entries that 
occur in /i*, but are _L in h. Then, the above probability equals 

Pr [(/,p) is good A r(/,p) = h A p = p*] 
{f,p),p 

= Pr [(/,p) is good Ar(/,p) = /i]- Pr [p = p*] 

{f,p),p (f,p),p 

2~ n\h\ m 2 _ n(\h* \ — \h\) n\h*\ 



where for the second equality we apply Lemma 3.33 and note that p is chosen uniformly. 



In the second case, there exists no h with a good preimage that can lead to h*. Then we have 
Pr (f^^ p [H = h*] = 0, and so in both cases 

Pr [H = h*] <2- n l /l *l (2) 
(M,p 

This implies that the statistical distance of the distribution over h* which we described to the 
uniform distribution is exactly the probability that is not good. For completeness, we give 

a formal argument for this. Consider H as above, and let U be a random variable taking uniform 
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random values from {0, l}'^*'. We have 

d(U,H) = l^2\Pv[U = h*}- Pr [H = h*}\ 

1 (f,P),P 



Pt[U = _L] - Pr [# = _L] | + 1 ^ |Pr[C/ = h*] - Pr [ff = h*] 



(f,p),P 

S v / 

" Pr (/,p)[(/'rt is not g° od ] 



(f,p),P 



= \ Pr «f,p) is not good) + ^ Pr[t7 = />*] - J £ Pr [if = h*} 



Pr [(/,£>) is not good] 

(f,p) 



2 



=l-Pr (/)P) [(/,p) is not good] 



where the third equality uses 

We proceed to argue that Pr^) [(/,£>) is not good] is small. In S2 by Lemma 

that \Gi\ < 6-(U-q) 2 and \P\ < 6-(14-g) 2 , w 



3.3 



we have 

lere the additional factor of 14 comes in because the 



distinguisher completes all chains. By Lemma 

4-10 19 -g 10 



3.19 



Pr (/> p)[(/,p) is not good] < 16 000 



(6-(14-g) 2 ) 5 



< 



By Lemma 3.32, for good the behaviour of S2(/,p) and S$(H) is identical. Thus, 

\Pi(f^[D outputs 1 in S2 (/,£>)] — Prrf jP \[D outputs 1 in S3 (//")] | < Pry p )[(/,_p) is not good]. Fur- 
thermore, 

I Pr [D outputs 1 in S 2 (H)] - Pt[D outputs 1 in S 3 (f7)]| < d(H, U) = Pr [(/,p) is not good], 
and therefore 

I Pr [D outputs 1 in S2(/,p)] — Pr[Z? outputs 1 in S3 (t/)] | < 2 • Pr is not good] 



19 „io 



< 



10 iy • 9 



using our bound on the probability that (f,p) is good above. 



□ 
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A Detailed Definition of the Simulator of Coron et al. 



We proceed to provide the full definition of the simulator in [CPS08cj. In particular, for ease 
of reference, we stick to the same variable naming used within their work, even though this is 
inconsistent with the notation used in the rest of this paper. 

As sketched in the simulator overview, S keeps a history of the function values it has defined 
up to the current point of execution, which consist of sets H(Fi) of pairs (x,F^(x)). With some 
abuse of notation, and to improve readability, we denote as := {x|(x, F^(x)) E H(Fi)} the set of 
F^-queries whose values have been defined. We define the history % := {(x, F^(x), F^(x)) E 
for some i}. 

Also, if the history size gets too big, i.e. \%{Fi)\ > h max for some F^ and a value h max depending 
only on the number of distinguisher queries g, the simulator aborts. 



Procedures Query and ChainQuery. Upon a query x for issued by D, the simulator S 
executes the following prodecure Query(x, £;): 

procedure Query(x,/c): 
if x E Fk then 

return F&(x) from H(Fk) 
else 

F k (x) ^ R {0,1}* 
ChainQuery(x, k) 
return Fk(x) from H(Fk) 

Procedure ChainQuery checks if 3-chains as defined in Fig. |3]w.r.t. query x occur. Note that this 
is only a selection of all possible chains one might consider. Observe that the chain sets for Fi,F2 
and F3 are defined symmetrically to those of F4,Fs and Fq. In particular, the sets Fg and F^ are 



Query to 


Chain Sets 


Fi 


C(-,R,1) = {(S,A) G (F 6 ,F 5 )|P- i (5||A©F 6 (5))| 2 = i?} 


F 2 


C(+,X,2) = {(Y,Z) G (F 3 ,F 4 )|x = F 3 (y)ez} 

C(-,X,2) = {(R,S) G (Fi,FS(X))|P(X©Fi(ii)||ii)|i = S} 


F 3 


C(+, Y, 3) = {(Z, A) € (F 4 , F 5 ) | Y = F 4 (Z) © A} 


F 4 


C(-,Z,4) = {(Y,X) G (F 3 ,F 2 )\Z = F 3 (Y)®X} 


F 5 


C(+,A, 5) = {(S, R) G (F 6 ,FJ(A)) | P- L (S\\A © F 6 (5))| 2 = R\ 
C(-, A, 5) = {(Z, Y) G (F 4 , F 3 ) | A = F 4 (Z) © Y) 


F 6 


C{+,S,6) = {{R,X) G (F 1 ,F 2 )|P(X©F 1 ( J R)|| J R)| 1 = 5} 



Figure 3: Chains to be considered by Procedure ChainQuery. 
defined as follows for the understood parameters X and A: 

F* 6 (X) :=F 6 U{S\3(R>,X>) G (F l5 F 2 \ {X}), P(X' © Fi(#)||#)|i = S} 
Fl(A) := Fx U {R\3(S',A') G (F 6 ,F 5 \ {A}),P~ 1 (S'\\A > © F 6 (5'))| 2 = R} 

The chains that are considered additionally when using the sets F* instead of F^ in the cases of 
(F2, — ) and (F5, +) chains are called virtual chains. These chains do not consist of history values 
exclusively. If such a chain occurs, the simulator first defines the three values that constitute the 



3-chain that are not yet in the history and then completes it. The intuition 15 why such virtual 



5 This intuition comes from studying the proof in [CPS08b 
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chains are considered in addition is as follows: Every time the sets C(— , i?, 1) for some R and 
symmetrically C(+, *S, 6) for some S are computed, it will not be possible that more than one such 
chain is found. Note that it is not clear at this point if this goal can indeed be achieved. Intuitively, 
such a fact might simplify (or even make possible) the analysis of the recursions of the simulator. 

The procedure ChainQuery now handles the recursions. We still consider the chains in Fig. [3j 
If such 3-chains occur, ChainQuery calls a further procedure, called CompleteChain, to com- 
plete these chains, i.e. it consistently (with P) fills in the remaining values for each 3-chain. Then, 
ChainQuery is called recursively for the values defined during the completions of chains: 

procedure ChainQuery(x, k): 

if k E {1, 2, 5, 6} then XorQuery x (x, k) 
if k e {1,3,4,6} then XorQuery 2 (x, k) 
if k e {3, 4} then XorQuery 3 (x, k) 
U := 

if k e {2,3,5,6} then 

forall (y,z) EC(+,x,/c) do 

U := U U CompleteChain(+, x, y, z, k) 
if k e {1,2,4,5} then 

forall (y,z) E C(— ,x,k) do 

U := U U CompleteChain(-, x, y, z, k) 
forall (x 7 , k') do 
ChainQuery^, k f ) 

The first three lines of ChainQuery make calls to the so-called XorQuery procedures: they 
perform additional ChainQuery(x / , k') executions for values x' other than x that fullfil certain 
properties. This ensures that for the values x', we are always sure that ChainQuery(x / , k') occurs 
before the chains for ChainQuery(x, k) are completed. To understand S one can ignore, for the 
moment, the details about the XorQuery procedures: We first detail CompleteChain and only 
subsequently address the XorQuery procedures. 

Procedure CompleteChain. Procedure CompleteChain completes a chain (x,y,z), given 
direction d and the index k of according to the following table. 



Query x to 


Dir d 


(y, z) in History 


Additionally 


Compute 


Adapt (Fj,F j+1 ) 








set Fj 






Fi 




(F 6 ,F 5 ) 


F 4 


S\\T 


(F 2 ,F 3 ) 


F 2 


+ 


(F 3 ,F 4 ) 


Fi 


L\\R 


(F 5 ,F 6 ) 






(Fi,F 6 ) 


F 3 


L\\R 


(F 4 ,F 5 ) 


F 3 


+ 


(F 4 ,F 5 ) 


F 6 


S\\T 


(Fi,F 2 ) 


F 4 




(F 3 ,F 2 ) 


Fi 


L\\R 


(F 5 ,F 6 ) 


F 5 


+ 


(F 6 ,Fi) 


F 4 


S\\T 


(F 2 ,F 3 ) 






(F 4 ,F 3 ) 


F 6 


S\\T 


(Fi,F 2 ) 


F 6 


+ 


(Fi,F 2 ) 


F 3 


L\\R 


(F 4 ,F 5 ) 



In detail this looks as follows: 
procedure CompleteChain (d, x, y, z, k): 

if there was a CompleteChain— execution w.r.t. ^values x,y,z before then 
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24 return U 

25 else 

26 if (d, fc) = (— , 2) and z ^ F6 then 

F 6 (*)<-R{0,l} n 

28 U :=ZYU{(z,6)} 

29 if (d, k) = (+, 5) and z ^ Fi then 

Fi(s)<- R {0,l} n 
si U :=ZYU{(z,l)} 

32 compute xi (i according to the table, additional 'set') 

33 if Xi tf. Yi then 

F,(x,)^ R {0,l}- 

35 U :=UU{(xi,i)} 

36 if Compute L\\R (according to the table) then 

37 compute L\\R 

ss compute S\\T := P(L\\R) 

39 if Compute S\\T (according to the table) then 

40 compute S\\T 

41 compute L\\R := P _1 (5||T) 

42 now all inputs (xi, X2, . . . , xq) to (Fi, F2, . . . , Fg) of the completion of (x, y, z) are known 

43 compute xo := L, £7 := T 

44 if Xj E Fj or Xj + i E Fj+i then 

45 abort 

46 else (adapt according to the table) 

47 Yj{xj) := Xj_i © Xj + i 

48 Fj + i(xj+i) := Xj © Xj +2 

49 :=UU{(xjJ),(x j+1 J + 1)} 

50 return 

Lines 2 and 3 need further explanation. We assume that the simulator keeps track of the 6-tuples 
(i?, X, Y, A, 5) of values that were defined in any COMPLETECHAlN-execution up to the current 
point of execution. In line 2, CompleteChain checks whether the values x, y, z for given fc, d are 
part of such a 6-tuple of values that were defined in some earlier COMPLETECHAlN-execution. If 
so, the empty set is returned. For example, if in ChainQuery^, 1) we find (S", A f ) E C(— , Rl \ 1), 
then CompleteChain(-, R\ S\ A', 1) occurs and line 2 checks if there is a 6-tuple (R, X, Y, Z, A, S) 
from an earlier COMPLETECHAlN-execution where R = R' , S = S f and A = A' . If so, the chain 
(S 1 A 7 ) is not completed again and the empty set is returned in line 3 immediately. Note that 
steps 2 and 3 were not included in the simulator definition in [CPS08c]. But if these steps are not 
performed, the simulator trivially aborts as soon as a recursive CompleteChain call occurs in 
ChainQuery. (In the above example of (S",^'), if the values (i?', X, Y, Z, A' , S') were defined in 
an earlier COMPLETECHAlN-execution, the simulator would abort at step 29 of CompleteChain, 
since both Y G F3 and X E F2 already.) Furthermore, note that lines 5 to 11 are used to define 
missing function values for virtual chains. 

Fig. [i] illustrates how the simulator S completes 3-chains. 

The XorQuery procedures. As mentioned earlier, the procedures XorQuery x , XorQuery 2 , 
and XorQuery 3 perform additional calls to ChainQuery before the chains for ChainQuery(x, k) 
are completed. 

The idea behind XorQuery x is the following: We consider the execution of ChainQuery(X, 2) 
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Figure 4: An illustration of how S completes 3-chains 



for some X and in this execution a recursive call to CHAlNQuERY(y, 3) that occurs for some Y. 
For CHAlNQuERY(y, 3), XorQuery-l should ensure that for any (F 3 ,+) chain (Y,Z,A), X := 
Fa(y)©Z is not in F2. The same property should be ensured symmetrically for ChainQuery(A, 5). 

51 procedure XorQuery 1 (x, k): 

52 if k = 5 then 
A! : = {x®Ri®R 2 jz ¥ b \Ri,R 2 G Fi, #1 ^ i? 2 } 

else if fc = 1 then 

^ := {A®x®R 2 i F 5 |A G F 5 ,i? 2 G Fi} 
if fc = 5 or = 1 then 
forall A 7 G *4 7 do 

if 3R' G Fi,3S" G F 6 : p-^S'UFeOS") © A')| 2 = i? 7 then 

f 5 (ao ^ R {o,ir 

ChainQuery(A / , 5) 
if k = 2 then 

:= {x © 5i © S 2 i F 2 \SuS 2 G F 6 , Si ^ S 2 } 
else if k = 6 then 

:= {X © a © S 2 £ F 2 \X G F 2 , S 2 G F 6 } 
if fc = 2 or A: = 6 then 
forall X' G X' do 

if 3S 7 G F 6 ,3R f G Fi : P(Fi(i2') © X^^Oli = 5 7 then 
F 2 {X') ^ R {0,1}™ 
ChainQuery(X 7 , 2) 



XorQuery 2 and XorQuery 3 are used as follows: Consider the execution of CHAlNQuERY(y, 3) 
for some Y and in this execution a recursive call to ChainQuery(X, 2). These two procedures 
should ensure that, under certain assumptions, the simulator does not abort in the next two recur- 
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sion levels, and after these two levels certain properties hold. The same holds symmetrically for 
ChainQuery(^4, 5) for some A. Again, this is just an intuition and it is not clear at this point if 
these goals are achievable with XorQuery 2 and XorQuery 3 . 

procedure XorQuery 2 (x, k): 

M := {(L,R,Z, A, S)]!*- 1 (S\\ A (BF 6 (S)) = L\\R, 

AeF 5l 

Z = F b {A)®S} 

forall (L, R, Z, A, S) G M do 

if k = 6 and 3Z' G F 4 \ {Z} : P(L ®Z® Z'\\R)\i = x or 

k = 3 and 35' G F 6 : P(L © x © Z||i?)|i = 5' then 
Fi(i?) {0,1}" 
CHAINQUERY(.R, 1) 

M := {(S,T,R,X,Y)\P(X (BFxWWR) = S\\T, 

S?F 5l 
XgF 2 , 
ReF ± , 

Y = F 2 (X)®R} 

forall (S, T, R, X,Y) G M do 

if k = 1 and 3F' e F 3 \ {Y} : p-\S\ \T © Y © y')| 2 = x or 

ife = 4 and 3R' G Fi, : p-^SHT © x © F)| 2 = Bf then 
F 6 (5)^ R {0,1}" 
ChainQuery(S, 6) 

92 

93 procedure XorQuery 3 (x, fc): 

94 " 7e:={(y, J R 1 , J R 2 )|p- 1 (5 1 ||>l 1 ©F 6 (5i)) = L 1 ||i? 1 , 

95 P- 1 (,S 2 ||A 2 ©F 6 ( ) S 2 )) = L 2 \\R 2 , 

Y i F 3 , 

97 Si G Fg 

Zi = F 5 (Ai)©Si,Zi GF 4) 
99 Ai =F 4 (Zi)©F,Ai gF 5 



100 5 2 6 Fg 

101 Z 2 = F 5 (^2)ffi52,Z 2 GF 4 , 

102 A 2 = F A (Z 2 ) © y, A 2 G F 5 } 

103 if A; = 3 and 3(y i? 4 , i? 2 ) € ft : Y = x © i? 4 © R 2 then 

F 3 (y)^ R {0,l}- 
105 CHAINQUERY(y, 3) 

S:={(Z,S 1 ,S 2 )\P(F 1 (R 1 )(BX 1 \\R 1 ) = S 1 \\T 1 , 

P(Fi( J R 2 )©X 2 || J R 2 ) = 5 2 ||T 2 , 
108 Z F 4 , 

ioo i?i € Fi 

no y = F 2 (Xl) © R\,Y\ G F 3 , 

Xi = F 3 (yi)©Z,Xi GF 2 
ii2 i? 2 G Fi 

us y 2 = F 2 (X 2 ) © R 2 , Y 2 G F 3 , 
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X 2 = F s (Y 2 )®Z,X 2 eF 2 } 
if k = 4 and 3(Z, Si,S 2 ) € S : Z = x @ Si® S 2 then 
F 4 (Z) {0,1}" 
ChainQuery(Z, 4) 



Illustrations describing the XorQuery procedures. We provide illustrations to better de- 
scribe procedures XorQuery^ XorQuery 2 , and XorQuery 3 . 

Fig. [5] illustrates how XorQuery-l works. In the figure, the values that are required to be in 
the history are marked with boxes, and the value x that XorQuery 1 is called upon is marked with 
a circle. We abbreviate ChainQuery by CQ. 

For example, the left upper quarter of Fig. [^describes calls to XorQuery 1 (A, 5) for some A. 
Upon such a call, S computes the values A 1 for any pairs R\, R 2 in Fi where R\^ R 2 . Now if some 
A' is not in F5 (in the figure, there is no box around A'), then S checks if there is a 3-chain (A f , S / , R') 
for some S' E F6 and R r E Fi (in the figure, there are boxes around these values). If such a chain 
is found, S calls ChainQuery^, 5). In the figure, we write XorQuery^A, 5) CQ(A\ 5) to 
say this. 



XorQuery^A, 5) -> CQ(A', 5) 

X' 
Y' 
Z' 

A' =(fi$ \R 1 ®R^ 
A'gW in (R*) 



XorQuer yi (X,2) -> CQ(X',2) 



X' =(J?)® \S 1 @S2 



x f tn- m (R 2 ) 



XorQuer yi (i?,l) -> CQ(A',5) 



XorQuery! (5, 6) -> CQ(X',2) 



y 
z' 

A' =\AJp@B g 



z' 

A 1 



s' 



Figure 5: An illustration for XORQuERYi 

Fig. [6] provides an illustration of XorQuery 2 . The notation is the same as in the illustration 
for XorQuery x . 

For XorQuery 3 we provide Fig. [7] to faciliate the understanding. 
Here is a description of XorQuery 3 for the case of k = 3: Upon query (x,3) where x = Y the 
procedure sets F 3 (y) ^— r {0, l} n and calls CHAlNQuERY(y, 3) for any Y £ F 3 if there are 3-chains 
(Zi, Ai, Si) and (Z2, A 2 , S 2 ) (as in the figure) in the history and the corresponding R\ and R 2 are 
such that Y = Y R r R 2 . 
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XorQuery 2 (S,6) -> 




XorQuery 2 (#,l) 
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l@z eg 
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XorQuery 2 (r,3) -> 




XorQuery 2 (Z,4) -> 
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R<£H ]n (R 3 ) 
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S^?i in (R 6 ) 


s red^y 



Figure 6: An illustration for XorQuery 2 

B Detailed Analysis of the Attack against the Simulator of Coron 
et al. 

Formally, the distinguisher D is defined as follows. (The distinguished output bit is irrelevant, 
since its goal is to let the simulator abort.) 

Distinguisher D 

X ^ R {0, 1}» , R 2 ^ R {0, 1}» R 3 ^ R {0, 1}- 

L 2 := Fi(i? 2 ) X, L 3 := Fi(i2 3 ) X 

S 2 \\T 2 := P(L 2 ||E 2 ), S 3 ||T 3 := P(L 3 p 3 ) 

^2 := F 6 (5 2 ) T 2 , A 3 := F 6 (S 3 ) © T 3 

i?i := i? 2 © A 2 © A 3 

L x := Fi(i?i) © X 

5i||Ti :=P(Li||i2i) 

A 1 :=P 6 (5i)©Ti 

A := © i?i © i? 2 

query F 5 (A) 

Implementing P. The distinguisher makes 7 < 2 3 queries to F and three permutation queries. 
Assume without loss of generality that at most B := 2 50 queries are made to the permutation P (or 
its inverse P _1 ) by the simulator or by the distinguisher. Once more than B P queries are made, 
we assume that the simulator S aborts. By Lemma 1 in [CPS08cj, the probability that abort occurs 
in the original experiment (where no limit on the number of P queries made by the simulator is 
imposed) is at most 2 55 /2 n = 0{2~ n ) lower than in the version where the query number is bounded 
by B. Note that, while large, B is constant, and although it could be made significantly smaller 
for the purposes of this section, we use the larger value to rely on the analysis of [CPS08cj. 
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XorQuery 3 (T,3) -> CQ(y,3) 



Ri R 2 
X\ X 2 
Y 



Y£H- m (R 3 ) 



{Y)= Y®R 1 ®R 2 



XorQuery 3 (Z,4) CQ(Z,4) 







R2 








x 2 








Y 2 






z 








A 2 


Si 




s 2 




z in 


in( R 4) 



(D= ze5i05 2 



Figure 7: An illustration for XorQuery 3 



It is convenient to think of P as being implemented as follows: Initially, two lists and of 
B uniformly distributed, but distinct, 2n-bit values are generated. Then, each time a P query is 
issued with input x, we first check if P(x) is defined (in which case we simply return the previously 
defined value), or if P _1 (y) = x (in which case we return y.) Otherwise, we assign to P(x) the first 
value y in such that P _1 (y) is undefined, and let P _1 (?/) := x. Also, P _1 queries are answered 
symmetrically. It is not hard to verify that this gives rise to a uniform random permutation as 
long as at most B queries are made: Each forward query P(x) assigns a value from which is 
uniformly distributed among all values for which P _1 (y) is not defined, and, if x G ensures that 
x E Ci cannot be used as an answer to a query to P _1 . 

For simplicity, denote as C\ and C 2 the lists containing the first and second halves, respectively, 
of the elements of C := C±\\C^. (Here, || denotes list concatenation.) 

Initialization. We consider the interaction of D and S, and show that the latter aborts with 
overwhelming probability. Before executing Line 11, it is clear that no additional F^(x) entry is 
defined by one of the XorQuery calls, since only XorQuery^ and XorQuery 2 can be called 
when answering queries to either of Fi or Fg, but the histories of F2, F3, F4, F5 are all empty. Thus 
when Fs(A) is called, only the values Ri, i?2, ^3, Si, £2, £3 are in the history of S, and consequently, 
no 3-chain exists so far. Also, the first three elements of C are Si||Ti, S2IIT2, an d S3HT3. 

The following definitions introduce bad events: Their definition is tailored at what is needed 
later, and may appear confusing at first. (We invite the reader to skip their definition, and come 
back later.) 

Definition B.l. The event Badp occurs if one of the following is true: 

(i) There exists a collision among the first or second halves of the elements of £; 

(ii) £2 H R2, R3} ^ 0, that is, the second half of some element of C is in {R±, R2, R3}] 

(iii) There exists R, R' e C 2 such that Ri®R 2 = R®R f . 







Definition B.2. The event Badi occurs if one of the following is true: 

(i) Two elements among Ri,R 2 ,Rs collide; 

(ii) A © F 6 (5) G £ 2 for (A, S) € (F 5 U {A}) x F 6 \ {(A h Si)\i = 1, 2, 3}; 
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(iii) There exists G {(1, 3), (2, 3)} and k G {1, 2, 3} such that for A := A © Ri © ^ £ F 5 we 
have F 6 (5 fc ) ©A G £ 2 ; 

(iv) There exist i,j,k,£ G {1,2,3}, i 7^ j, such that for A" := A © _Rj © Rj <£ F 5 we have 
F 6 (S k ) © A" G £ 2 ; 

(v) i?i © © A,- © A = n for i^j.ie {A, Ai, A 2 , A 3 }, and (i, j, A) £ {(i, i, A;) | i = 1, 2, 3} U 
{(1,2, A3), (2,1, A)}. 



The following two lemmas upper bound the probability of these events occurring. 
Lemma B.3. Pr[Bad P ] = 0(B 2 • 2~ n ). 

Proof. For (i), note that for any two i, j E {1, . . . , 2£>}, i ^ j, and /i E {1, 2}, 

PrM* = T,U] = T ■ II \ = 0(2-) 

and PrfT^I/i E i?2, ^3}] < 3 • 2~ n . The bound follows by the union bound. Finally, an upper 
bound of the probability of (iii) is B 2 • 2 n gg^ = (9(73 2 • 2-™). □ 

Lemma B.4. Pr[Badi] = 0(B • 2~ n ). 

Proof. For (i), we observe that the random variable R\ is uniform and independent of R2 and i?3, 
since A 2 and A3 are independent of R2 and i?3 due to Fg^) and Fg^) being chosen uniformly 
and independently. Thus, the probability that i?i = i?2, R2 = Rs or ^1 = ^3 is a ^ most 3 • 2~ n . 

It is also easy to verify that the value T' := A®Fq(S) is uniformly distributed and independent 
of C for {A, S) E (F 5 U{i})xF 6 \{(A„ Si) \ i = 1, 2, 3}, and therefore T 7 E £ 2 holds with probability 
at most 25 • 2 _n ; an upper bound on the probability of (ii) follows by the union bound. 

To bound (iii), we use the fact that for all E {(1, 3), (2, 3)} and k E {1,2,3} the value 

T := F 6 (S k ) © A' equals 

F 6 (S k ) © F 6 (5i) © Ti © R r © i? 2 © R % © ^ 

and is hence uniformly distributed and independent of C. Therefore, (iii) occurs with probability 
at most 2B • 2~ n . Similarly, to bound (iv), we observe that for all i ^ j, and k,£ E {1,2,3} the 
value T" := F 6 (S k ) © A 77 equals 

F 6 (S k ) © F 6 (S*) © T £ © © i? J 

and is therefore uniformly distributed, and independent of C. 

In (v) we see that in all cases, substituting A with A\ © R\ © i?2, A-i with Fe(Si) © T^, and R\ 
with i?2 © A.2 © A3, we end up in one of the follwing two cases: Either the given sum still contains 
at least one term which is uniformly distributed and independent of the other terms, and thus the 
sum equals n with probability 2~ n . Or, the resulting equation is R2 = i?3, which does not hold 
by the choice of these values by D. The actual bound follows by a union bound over all possible 
combinations. □ 

From now on, the analysis assumes that neither of Badp and Badi has occurred. Before we 
proceed in analyzing the rest of the execution, we prove the following lemmas, which will be useful 
to simplify the analysis below, and rely on the assumptions that the above events do not occur. 
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Lemma B.5. As long as Fi = {#1,^2,^3} and F 6 = {Si, S 2 , S3}, no XorQuery 1 (^, 5) (for 
i = 1,2,3) call results in a recursive ChainQuery call. 

Proof For the if statement within XorQuery 1 (^, 5) call to be satisfied, there must exist A" — 
Ai®Ri®Rj such that R { + Rj and p- 1 (5 / ||F(S ,/ ) @A")\ 2 G {Ri,R 2 ,R 3 }, where S' G {S 1 ,S 2 ,S S }. 
However, since F(S") A" £ C 2 , as this implies Badi, we need to have P _1 (S"||F 6 (S") A") e C. 
But then, since P _1 (S"||F(S") © A")\ 2 G {Ri,R 2 ,Rz}, we also have Bad P . □ 

Lemma B.6. Assume that Fi = i?2, ^3} and Fg = {Si, S2, S3}. Then, as long as Badp 
holds, a call to XorQuery 2 (x, k) for k G {3,4} and x ^ F7_& does not set any new values and 
does not make any new recursive ChainQuery calls. 

Proof. Let k = 3 and consider a tuple (L, R, Z, A, S) G Af: This means that querying P _1 on 
input S'||F 6 (S') A (with S = Si for some i G {1, 2, 3}) returns a pair L\\R with i? ^ {i?i, R 2 , R3}. 
This in particular means that A ^ Ai (as otherwise R = Ri), and also that L\\R G £, as otherwise 
Si\\FQ(Si) ® A G £, and (ii) for Badi would have occurred. However, if the if statement is satisfied, 
this also means that P(L ® x ® Z\\R)\i = S f G {Si, S2, S3}. But since Badp has not happened, this 
means that there has been a previous P _1 query with input S f \\T f which has returned L(&x@Z\\R G 
C. Yet, since L x Z ^ L (due to x 7^ Z, as otherwise x G F4), this also means that there has 
been a collision on the second half, and Badp has occurred. 

The case for k = 4 is fully symmetric. □ 

Added complexity in the execution of S stems from the fact that it tests for so-called "virtual 
chains" , and we want to argue that they do not play a role in the upcoming analysis of the attack. 
First, note that as long as F2 contains at most one element (this is the case for most of the attack), 
Fg = F 6 . Additionally, when calling ChainQuery(A, 5) for A G {A, Ai, A 2 , A3}, in order for 
Fi ^ FJ to occur, we need that there exist (A, S), {A', S') G {A,Ai,A 2 ,A 3 } x {Si, S2, S 2 } such 
that A ^ A 1 and P _1 (S||F 6 (S) A)\ 2 = P _1 (S"||F 6 (S") © A 1 ). It is not hard to verify that any 
possible case implies Badp or Badi, and hence we can safely ignore virtual chains in the following. 
(We will indeed need to ignore virtual chains only for as long as the conditions needed for these 
arguments hold.) 

First phase of the simulator's execution. From now on, we continue the analysis of the execution 
under the assumption that Badi, and Badp have not occurred. Upon querying ¥§(A), the simulator 
sets F 5 (A) {0, l} n and then first executes XorQuerYi(A, 5): Note that A\ = A®Ri®R 2 £ F 5 
(since, at this point, the history of F5 is empty), and A\ satisfies the if statement (with S f = Si 
and R f = Ri) so that F 5 (Ai) {0, l} n is set and ChainQuery(Ai, 5) is called. Also, no other 
ChainQuery call occurs, as if the condition in the if statement is true for some other value, then 
since (ii) in the definition of Badi does not occur, this means that, for some input x, P(x) has been 
assigned a value from C whose second half is in {Ri, R 2 , R3}, which implies Badp. 

Moreover, in the subsequent execution of ChainQuery(Ai, 5) the procedure XorQuerYi also 
does not invoke ChainQuery by Lemma [R5) Moreover, C(+, Ai, 5) = {{Si,R\)}, since (^4i, Si, Rj J 



for (z, j) 7^ (1, 1) cannot constitute a chain, as this would either imply (i) in the definition of Badi 
or the fact that Badp occurs. Also, C(— ,Ai,5) = 0, since no F3 and F4 values have been defined 
so far. Therefore, (Si,i?i) E C(+,Ai,5) is found and gets completed by CompleteChain to the 
tuple (i?i, X, Yi, Zi, Ai, Si), by defining 

X:=F!(iii)©Li, Z 1 :=F 5 (A 1 )®S 1 , F 4 (Zi) <^ R {0, l} n , 
Y 1 :=F A (Z 1 )®A 1 , F 2 (X):=R 1 ®Y 1 , F 3 (Fi):=^i©X 

We consider the following event denned on these new values. 
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Definition B.7. The event Bad2 occurs if one of the following holds: 



(i) Y! = Zu 

(ii) y 1 = Z 1 Ri R where R e {R 2 , R3}; 

(hi) Zi©F 5 (A) gA; 

(iv) Z 1 ®F B (A) = S 1 . 



Lemma B.8. Pr[Bad 2 ] = 0(B • 2~ n ) 

Proof. For (i) and (ii), since Y\ is uniform and independent of Zi, and i?2 by the fact that 
F5(Yi) is set uniformly, the values on both sides are equal with probability 2~ n . Furthermore, both 
F^(A) and ¥§(Ai) are set uniformly (since A\ 7^ A by Badi not occurring), and thus Z\ ®Y^(A) = 
Si © Fs(Ai) © F5(A) is uniform and independent of £1, and is thus in the set with probability 
at most 2B • 2~ n by the union bound. Similarly, we show that (iv) occurs with probability 2~ n 
only. □ 

Second phase of the simulator's execution. Subsequently, the simulator schedules calls, in arbi- 



trary 15 order, to ChainQuery(X, 2), ChainQuery(Yi, 3) and ChainQuery(Zi, 3). 



Lemma B.9. No ChainQuery invocation preceding the invocation of ChainQuery(X, 2) issues 
a recursive ChainQuery call. Furthermore, XorQuery x (X, 2) within ChainQuery(X, 2) also 
does not trigger a ChainQuery invocation. 

Proof. Assume that ChainQuery(X, 2) has not been invoked yet. Calls to XorQuery 2 cannot 



invoke ChainQuery recursively by Lemma B.6 and the fact that Y\ ^ Z\ (using Bac^). Also note 
that XorQuery 3 (Yi, 3) cannot produce recursive ChainQuery calls: Note that A\ ^ A (equality 
implies (i) in Badi), and therefore any triple (Y, i?, R r ) E 1Z must satisfy R — R r and Y ^ F3. But 
then, we cannot have Y\ = Y G F3, and thus the if statement is never satisfied. Similarly, the fact 
that XorQuery 3 (Zi,4) does not invoke ChainQuery follows from the fact that both F 3 and F 2 
only contain one single element. 

For both possible ChainQuery calls, it also clear that no additional 3-chains to be completed 
are found. Namely, within ChainQuery(1i, 3), only the chains Y\) and (Y\,Z\,A\) are 

possible, and both have been completed. Moreover, when running ChainQuery(Zi, 4), the 3-chain 
(X, Y\,Z\) has also already been completed, whereas no chain (Zi, A, Si) exists, as this would yield 
Bad 2 . 

Finally, when ChainQuery(X, 2) is invoked, we also observe that if the if statement in the 
execution of XorQuery x (X, 2) cannot be true: It would imply that there exists X f ^ X such that 
P(X'eFi(i^)||i^)|i e {^i,^, S3}, but since F 2 (X') © ifc ^ L<, this implies Bad P (i). □ 

We hence can consider the execution of ChainQuery(X, 2), as any previous ChainQuery 
invocation does not affect the history of the simulated round functions. First, note that C( — , X, 2) = 



16 In particular, we do not want to make any assumption on the order in which they are called. Of course, it is 
easier to provide a proof if a certain processing order is assumed, and this would suffice to give a strong argument 
against S. Still, we opt for showing the strongest statement. 
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{(i?2, S2), (i?3, S3)} and C(+, X, 2) = {(Yi, Zi)}. The latter chain was already completed, therefore 
both negative chains are completed, by defining values 



Y 2 :=F 2 (X)®R 2 , F 3 (Y 2 ) <- R {0,l} n , Z 2 := X © F 3 (Y 2 ), 

F 4 (Z 2 ) := Y 2 © A 2 , F 5 (A 2 ) := Z 2 © S 2 , 

as well as 

Y 3 := F 2 (X) © R 3 , F 3 (Y 3 ) {0, 1}", Z 3 := X © F 3 (Y 3 ), 

F 4 (Z 3 ) := Y 3 © A3, F 5 (A 3 ) := Z 3 © 5 3 . 

In addition, let us introduce the last bad event in this analysis, defined on the newly defined values. 
Definition B.10. The event Bad3 occurs if one of the following holds: 

(i) F 3 nF 4 ^0; 

(ii) Z © F 5 (A) e d for (Z, A) e F 4 x F 5 \ {(Zi, A*) | i = 1, 2, 3}. 



Lemma B.ll. Pr[Bad 3 ] < 0{2~ n ) 

Proof. For (i), note that the value of Zi is independent of the value of Y\,Y2,Y$ for i = 2,3, and 
thus equality only occurs with negligible probability. (Recall that we already assume that Y\ ^ Z\). 
Moreover, the case that Z\ equals I2 or Y3 is would already imply Bad 2 : This is because we would 
have, for i = 2, 3, 

Z x =Yi = F 2 (X) Ri = R x @ Yi Ri. 

For (ii), we claim that Z © F$(A) is always uniform and independent of C when it is defined. 
If Z = Zi, then note that Fs(^4) is set uniformly and independently of Z\ and £1, whereas 
F 5 (^) = X © F 2 (li) © Si for i = 2, 3, where F 2 (li) is set independently and uniformly. If Z = Z { 
for i = 2, 3, then note that Fs(Ai) and Fs(t4) are set uniformly, whereas by the above F$(A$-i) is 
also independent and uniform. □ 

Final phase of the simulator's execution. From now on, CHAlNQuERY(li, 3), CHAlNQuERY(Zi, 4) 
and ChainQuery^, 5) for i = 2, 3 are called, in any order j^] The crucial point is reached as soon 
as one of ChainQuery(12, 3) or ChainQuery^, 5) is invoked. However, we need to show that 
all calls preceding one of these calls do not start recursions or set additional function values. First, 
however, we show that no other chains occur, other than those we expect. 

Lemma B.12. Only the 3-chains (Yi,Zi,Ai) for i = 1,2,3 ; (Yi, Z2, A3) and (Y2,Zi,A) exist in 
F3 x F4 x F5. Moreover, only the three 3-chains (Z{, A{, Si) for i = 1, 2, 3 exist in F4 x F5 x F6- 

Proof. Such a chain (Yi,Zj,A) implies 

Yi © F 4 (Z j ) © A = Ri © F 2 (X) © F 4 (Z j ) © A = Ri © F 2 (X) © Yj © Aj © A 
— Ri © Rj © Aj © A = , 

and hence Badi. The second part of the statement follows from Bad3 not occurring and the fact 
that Si,S 2 ,Ss e Ci. □ 



7 Once again, we dispense with any assumption on the execution order adopted by the simulator. 
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Lemma B.13. No ChainQuery call preceding the invocation of both ChainQuery(Y2, 3) and 
ChainQuery(A3, 5) provokes a recursive ChainQuery call Also, no XorQuery within the 
execution of ChainQuery(Y2, 3) and ChainQuery(t43, 5) (whichever is executed first) provokes a 
recursive ChainQuery call. 



Proof. We know, by Lemma B.6 and item (i) in the definition of Bad3 not taking place, that calls 
to XorQuery 2 (Y3, 3), XorQuery 2 (^,4) for i = 1,2 do not provoke any recursive ChainQuery 



calls. Furthermore, XorQuery 3 (Y3, 3) cannot invoke ChainQuery, as by Lemma B.12, the fact 
that only the three chains (Zi, Ai, Si) for i = 1, 2, 3 exist in F4XF5XF6, the set 71 must be empty. 
Also, XorQuery 3 (^,4) cannot invoke ChainQuery by the fact that X is the only element of 
F 2 . 

In addition, none of these ChainQuery invokes CompleteChain because of Lemma [B.12 



The fact that XorQuery 1 (A 2 , 5) in ChainQuery(A 2 , 5) does not make any ChainQuery calls 



is implied by Lemma B.5, whereas if ChainQuery(Y 2 , 3) is invoked first, then XorQuery 2 (Y 2 , 3) 



does not invoke ChainQuery by Lemma B.6, whereas XorQuery 3 (Y 2 , 3) does not invoke ChainQuery 
because of Lemma IB. 121 as above. □ 

Finally, we can distinguish two cases: 

(1) ChainQuery(Y 2 , 3) is invoked first. As shown above, no XorQuery call calls ChainQuery 
recursively. Then, S now finds and completes the chain (Z\,A) E C(+, Y 2 ,3). No other chains 



are found by Lemma B.12 



The following values are set: 



X' :=F S (Y 2 )®Z U 

f 6 (5 4 ) ^ R {o,ir, 

Fi(i24) :=L 4 0X / , 



S 4 :=F 5 (A)©Zi, 
L 4 ||i?4:=P" 1 (54||F 6 (5 4 )eA) 

f 2 (x') :=y 2 ei?4. 



In particular, note that since S4 ^ C\ (since Bad3 (ii) does not occur), then R4 E C 2 . But then 
i?5 := F 2 (X f ) © Y\ ^ C 2l as otherwise this would imply that Badp (hi) occurs, since 

R b = Y 2 ®R 4 ®Y 1 = F 2 (X) © R 2 © R A © Y 1 = R 1 © R 2 © R A - 

Recall that we assume that S5 = Y^{A^) © Z 2 ^ £1, as this yields Bad3 (ii). But then, at some 
point (the latest at the invocation of ChainQuery(X / , 2)) the chain going through X', Yi, 
Z 2l and As needs to be completed. However, no completion is possible, because i?5 ^ C 2 and 
£5 ^ £1 (by Bad3 (ii)). In fact, this holds regardless of which strategy the simulator employs 
to complete the chain, and in this concrete case, this is reflected by an abort. 



(2) ChainQuery(A3, 5) is invoked first. The argument is symmetric. First, by Lemma B.13 



no 



XorQuery calls trigger ChainQuery invocations, and S now finds and completes the chain 



(Yi, Z 2 ) E C(— , A3, 5), and no other chains are found by Lemma B.12 This in particular means 
that the following values are set 

X' := F 3 (yi) © Z 2 , S 5 :=F 5 (A 3 )®Z 2 , 

F 6 (5 5 ) {0, l} n , L 5 \\R 5 := p- 1 (5 5 ||F 6 (5 5 ) © As) 

F 1 {R 4 ):=L 5 ®X', F 2 (X') :=Yi®R 5 . 

Once again, we have that R4 := ¥2{X')®Y 2 £ £ 2 because of Badp not occurring, since R5 e £2, 
and 

R i = Y l ®R b ®Y 2 = Ri® F 2 (X) © i? 5 © F 2 (X) R 2 = Ri © R 2 © R 5 - 
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Also, we have assumed that Fq(S^) © A ^ C\. But now, at some point, the chain going through 
X', Y2, Zi, and A has to be completed. However, this is not possible since R4 £ £2, and 

F 6 (s 4 )ei^i. 



C A Stronger Attack 

We subdivide the distinguisher execution into three phases: chain preparation, computation of 
chain values, and consistency check, and its description is best represented by means of the following 
tables: Note that if a value in the column Queries to S is named with the letter R (or X, Y, Z, A, 5, 
respectively), it is issued to Fi (or F2, F3, F4, F5, F6, respectively). 

Chain Preparation. 



Step 


D computes 


Queries to S 


1 


X := Xi = X 2 = X 3 = X A u.a.r. 




2 


R 2 , R 3 arbitrary s.t. R 2 ^ R3 


-R2, -R3 


3 


S 2 \\T 2 :=P(X©Fi(i22)||i22) 


s 2 


4 


S 3 ||T 3 :=P(X©F! (^3)1^3) 


S3 


5 


M := F 6 (5 2 ) © T 2 , A3 := F 6 (5 3 ) © T 3 




6 


R 1 ■= R 2 © A 2 © A 3 


Ri 


7 


Si||Ti :=P(X©F 1 ( J R 1 )|| J R 1 ) 


Si 


8 


Ai := F 6 (5 1 ) © T\ 




9 


A 5 := Ai © R 1 © i? 2 




10 


i?4 := i?3 © -4 3 © -45 


R 4 


11 


54||r 4 :=P(X©Fi( J R4)|| J R4) 


S4 


12 


A 4 := F 6 (5 4 ) © T 4 




13 


^8 := M © i? 4 © -R3 


A 8 



Computation of Chain Values. 



Step 


D computes 


Queries to S 


14 






X 


15 






A 1 ,A 2 ,A 3 ,A 4 


16 


Zi := F 5 (Ai) © St for i = 1, 2, 3, 4 




Zi, Z 2 , Z 3 , Z4 


17 


F i :=F 2 (X)© J R i fori = l,2,3,4 




y,i2,y 3 ,y 4 


18 


y 6 :=r 1 ,r 5 :=y 2 ,r 8 :=y 3 ,y 7 := 


y 




19 


•^5 := •Z'l, -^6 : = -^2, -^7 : = -^3, Zg :- 


= z 4 




20 


A 6 := F 4 (zT 6 ) © y 






21 


X5:=F3(y 5 )©^5,^6:=F3(y 6 ) 


®Z 6 


X^,Xq 


22 


i? 5 := F 2 (X 5 ) © y 5 , i? 6 := F 2 (X 6 ) 


©y 6 




23 


5 5 ||r 5 :=P(X 5 © Fx (.Rs)!!^) 






24 


S 6 ||T 6 :=P(X 6 ©F! (R 6 )\\R 6 ) 






25 








26 


X 7 :=F 3 (Y 7 )®Z 7 ,X 8 :=F 3 (Y 8 ) 


©^8 


x 7 ,x 8 


27 


R 7 := F 2 (X 7 ) © Y 7 , R 8 := F 2 (X 8 ) 


©y 8 


R 7 ,Rs 


28 


5 7 ||r 7 :=P(X 7 © Fx (^7)11^7) 




s 7 


29 


5 8 ||T 8 :=P(X 8 ©F 1 (i? 8 )||i? 8 ) 




s 8 


30 


A 7 := F 4 (zT 7 ) © y 7 




A 7 
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Consistency Check. Check if the following equations hold: 



(i) Chain Equalities: for i = 1, 2, . . . , 8 we have: 

F 1 (R i ) = S i ®X i , F 2 (X i )=R i ®Y i , F 3 (Y i )=X i ®Z i , 
F A {Zi)=Yi®A h F 5 (A l ) = Z l ®S l , F 6 (Si)=Ai®Ti 
(ii) Equalities: X 5 = X 6 , X 7 = X$, A 7 = A 5 , A 6 = A 3 

If all the above equalities hold, output 1, else output 0. 

Intuition behind the attack Figure [8] provides a picture of the dependencies between chains 
that have to be defined consistently by the simulator. The intuition behind this attack is as follows: 
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Figure 8: Illustration of the more general attack. 

It seems that any simulator that completes chains one after another does not succeed: no matter in 
which order it completes the chains, it seems to always end up in a situation where some remaining 
chain cannot be completed consistently. 
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